UFW/IPTables: how to securely allow authenticated git access with github

This is how I setup my iptables with UFW:

  1. sudo ufw default deny incoming (deny all incoming)
  2. sudo ufw default deny outgoing (deny all outgoing)
  3. sudo ufw allow out 53 (accept outgoing DNS traffic, both tcp and udp)
  4. sudo ufw allow in 80/tcp (accept all incoming tcp from port 80)
  5. sudo ufw allow out 80/tcp (accept all outgoing tcp to port 80)
  6. sudo ufw allow proto tcp from <admin_ip_addr> to <server_ip_addr> port 22 (accept incoming tcp port 22 from administrator's office IP for ssh)
  7. sudo ufw allow out 9418/tcp (accept outgoing git connections)
  8. sudo ufw allow proto tcp from <server_ip_addr> to any port 22 (accept outgoing ssh connections to connect with GitHub)

In English: block all, except for HTTP, DNS, incoming SSH from admin IPs, outgoing GIT and outgoing SSH.

Unfortunately, when I then do git clone [email protected]:username/project.git it gets stuck at Initialized empty Git repository in /home/adminuser/exper/project/.git/

When I then enable all outgoing traffic with sudo ufw default allow outgoing, and repeat the git clone command, it does work.

So, apparently there is something outgoing that is still being blocked.

Can anyone tell me what this may be, and what rule I should add to allow it?

I have also tried the following rules, without success:

  1. sudo ufw allow out 1024:65535/udp

Solution 1:

You're trying to connect with SSH, and that (appears to be) allowed, so it's time to diagnose the problem. I like to add a LOG rule just before I drop any packets, so I know exactly what's being dropped. Otherwise, a bit of tcpdump action should identify the traffic that's not going anywhere. Once you know what's being dropped, it's a trivial matter to add the necessary rules to allow it.

Solution 2:

After a lot a banging my head and locking myself out of 2 Servers. The below firewall rules worked for me to do a 'git clone'. Hope that it helps you all as well.

FYI: I am running the below commands on a 'eth0' which is the private interface for my Server. I got the github subnet IP from here: https://help.github.com/articles/github-s-ip-addresses/

sudo ufw reset
sudo ufw status verbose
sudo ufw default deny incoming
sudo ufw default deny outgoing
# For resolving DNS problem
sudo ufw allow out on eth0 to any port 53
# For allowing access to github.com
sudo ufw allow out on eth0 to 192.30.252.0/22 port 22
sudo ufw --force enable