iptables not allowing HTTP traffic
I have some issues that I am trying to troubleshoot with an iptables rules.
When I run the below and try to test out connecting to Git via Curl got Git CLI the connection hangs. The problem seems to be limited to HTTPS as when I allow HTTPS via ufw
the connection goes through no problem.
From what I understand the below rules should allow HTTPS out on 443 and allow 9418 required for Git to work.
I have just allowed outbound connection with a default DROP policy with INBOUND connection being allowed by the following:
iptables -I INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -I OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
What is missing from the below to make HTTPS work properly?
# Flush tables
iptables -F
ip6tables -F
# Whitelist my address
iptables -I INPUT -p tcp --dport 22 -s $whitelisted -j ACCEPT
# Set a default policy of DROP
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP
# Accept any related or established connections
iptables -I INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -I OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
# Allow all traffic on the loopback interface
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
# Allow outbound DHCP request
iptables -A OUTPUT -o eth0 -p udp --dport 67:68 --sport 67:68 -j ACCEPT
# Allow inbound SSH
iptables -A INPUT -i eth0 -p tcp -m tcp --dport 22 -m state --state NEW -j ACCEPT
# Allow inbound HTTPS
iptables -A INPUT -i eth0 -p tcp -m tcp --dport 443 -m state --state NEW -j ACCEPT
# Allow GIT
iptables -A OUTPUT -o eth0 -p tcp --dport 9418 -m state --state NEW -j ACCEPT
# Allow inbound HTTP
iptables -A INPUT -i eth0 -p tcp -m tcp --dport 80 -m state --state NEW -j ACCEPT
# Outbound DNS lookups
iptables -A OUTPUT -o eth0 -p udp -m udp --dport 53 -j ACCEPT
# Outbound PING requests
iptables -A OUTPUT -o eth0 -p icmp -j ACCEPT
# Outbound Network Time Protocol (NTP) requests
iptables -A OUTPUT -o eth0 -p udp --dport 123 --sport 123 -j ACCEPT
#### IPv6 Rules
# Drop all IPv6
ip6tables -P INPUT DROP
ip6tables -P FORWARD DROP
ip6tables -P OUTPUT DROP
# Must allow loopback interface
ip6tables -A INPUT -i lo -j ACCEPT
# Reject connection attempts not initiated from the host
ip6tables -A INPUT -p tcp --syn -j DROP
# Allow return connections initiated from the host
ip6tables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
My server in Ubuntu 20.04
There is no rule allowing outgoing HTTPS traffic:
# Allow HTTPS
iptables -A OUTPUT -o eth0 -p tcp --dport 443 -m state --state NEW -j ACCEPT