What is the right iptables rule to allow apt-get to download programs?

When I type something like sudo apt-get install firefox, everything work until it asks me:

After this operation, 77 MB of additional disk space will be used.
Do you want to continue [Y/n]? Y

Then error messages are displayed: Failed to fetch: <URL>

My iptables rules are as follows:

-P INPUT DROP
-P OUTPUT DROP
-P FORWARD DROP

-A INPUT -i lo -j ACCEPT
-A OUTPUT -o lo -j ACCEPT

-A INPUT -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
-A OUTPUT -p tcp --sport 80 -m state --state ESTABLISHED -j ACCEPT

What should I add to allow apt-get to download updates? Thanks


apt-get almost always downloads over HTTP but may also use FTP, so the short answer is probably to allow outbound HTTP connections... and also DNS, of course.

The configuration you have now disallows all outgoing network traffic (the ESTABLISHED rule you have on the OUTPUT chain isn't effective since no sessions will ever get established). Do you need to allow ONLY apt-get updates while still disallowing everything else? iptables is probably the wrong tool for that job as it isn't really going to interpret URLs and allow HTTP transfers selectively. You'd want to use an HTTP proxy server for this job.

You can use a simpler setup that will permit apt-get downloads, but be aware that this also permits all other outgoing DNS and HTTP connections, which may not be what you want.

iptables -F OUTPUT  # remove your existing OUTPUT rule which becomes redundant
iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp --dport 80 -m state --state NEW -j ACCEPT
iptables -A OUTPUT -p tcp --dport 53 -m state --state NEW -j ACCEPT
iptables -A OUTPUT -p udp --dport 53 -m state --state NEW -j ACCEPT

If your APT sources include HTTPS or FTP sources or HTTP sources on ports other than 80, you'll have to add those ports too.

Next, you will have to permit the return traffic. You can do that with this single rule that permit any established connection:

iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

(It is safe to allow all inbound established connections when using connection tracking, because only connections that you have otherwise allowed will get to the ESTABLISHED state.)