UFW/IPTables: how to securely allow authenticated git access with github
Solution 1
You're trying to connect with SSH, and that (appears to be) allowed, so it's time to diagnose the problem. I like to add a LOG rule just before I drop any packets, so I know exactly what's being dropped. Otherwise, a bit of tcpdump action should identify the traffic that's not going anywhere. Once you know what's being dropped, it's a trivial matter to add the necessary rules to allow it.
Solution 2
After a lot a banging my head and locking myself out of 2 Servers. The below firewall rules worked for me to do a 'git clone'. Hope that it helps you all as well.
FYI: I am running the below commands on a 'eth0' which is the private interface for my Server. I got the github subnet IP from here: https://help.github.com/articles/github-s-ip-addresses/
sudo ufw reset
sudo ufw status verbose
sudo ufw default deny incoming
sudo ufw default deny outgoing
# For resolving DNS problem
sudo ufw allow out on eth0 to any port 53
# For allowing access to github.com
sudo ufw allow out on eth0 to 192.30.252.0/22 port 22
sudo ufw --force enable
Related videos on Youtube
Tom
Updated on September 18, 2022Comments
-
Tom over 1 year
This is how I setup my iptables with UFW:
-
sudo ufw default deny incoming
(deny all incoming) -
sudo ufw default deny outgoing
(deny all outgoing) -
sudo ufw allow out 53
(accept outgoing DNS traffic, both tcp and udp) -
sudo ufw allow in 80/tcp
(accept all incoming tcp from port 80) -
sudo ufw allow out 80/tcp
(accept all outgoing tcp to port 80) -
sudo ufw allow proto tcp from <admin_ip_addr> to <server_ip_addr> port 22
(accept incoming tcp port 22 from administrator's office IP for ssh) -
sudo ufw allow out 9418/tcp
(accept outgoing git connections) -
sudo ufw allow proto tcp from <server_ip_addr> to any port 22
(accept outgoing ssh connections to connect with GitHub)
In English: block all, except for HTTP, DNS, incoming SSH from admin IPs, outgoing GIT and outgoing SSH.
Unfortunately, when I then do
git clone [email protected]:username/project.git
it gets stuck atInitialized empty Git repository in /home/adminuser/exper/project/.git/
When I then enable all outgoing traffic with
sudo ufw default allow outgoing
, and repeat the git clone command, it does work.So, apparently there is something outgoing that is still being blocked.
Can anyone tell me what this may be, and what rule I should add to allow it?
I have also tried the following rules, without success:
sudo ufw allow out 1024:65535/udp
-
-
womble about 12 yearsThen you make a LOG rule the last in the chain.
-
amrezzd over 4 yearsThis is not even an answer, but a comment! How can it be an accepted answer?
-
womble over 4 yearsBecause the person who asked the question selected it as such.