[IPTABLES] GPG keys retrieval firewall rules

Introduction

Sometimes you’ll need to fetch GPG keys from a remote server (let’s say the MIT’s) to enforce some signature verifications.

“Sometimes” ?

Yeah, I meant “often”, right ?

GPG uses a very unusual port (11371/tcp) for its remote connections.
Against a regular firewall configuration (containing DROP policies on all chains, isn’t it ?), it would be blocked by default.
You’ll have to manually authorize it.

The procedure…

… when it’s for the machine you are on

# Something like this would be required, please adapt it with your own firewall configuration.
iptables -A INPUT -i "INPUT INTERFACE" -m conntrack --ctstate ESTABLISHED -j ACCEPT

# ...

iptables -A OUTPUT -o "OUTPUT INTERFACE" -p tcp --dport 11371 -m conntrack --ctstate NEW -j ACCEPT

… when your machine is acting as a router / firewall

# Something like this would be required, please adapt it with your own firewall configuration.
iptables -A FORWARD -m conntrack --ctstate ESTABLISHED -j ACCEPT

# ...

iptables -A FORWARD -i "INPUT INTERFACE" -o "OUTPUT INTERFACE" -p tcp --dport 11371 -m conntrack --ctstate NEW -j ACCEPT

Conclusion

No conclusion, ‘hope it helped.