You are not logged in.

#1 2019-09-11 19:02:02

vlmrgn
Member
Registered: 2019-09-11
Posts: 3

Iptables configuration and pgp keyservers

Hi,

I can easily refresh my pgp keys without firewall, but I can't refresh it when iptables is activated.

I am dropping all outgoing connections from my arch linux server by using iptables. I also don't want to use any dns, I manually add all the outgoing connections to /etc/hosts

My "iptables -S" command has following output:

-P OUTPUT DROP
-A OUTPUT -d someip/32 -p tcp -m multiport --dports 80,443 -j ACCEPT
...

My /etc/hosts has following content:

someip someurl someurl

I've been using this for a while and I was quite happy with it until I had to verify pgp keys for a 3rd party application.

My "pacman-key --refresh-keys" command gives following output:

gpg: refreshing 113 keys from hkp://pool.sks-keyservers.net
gpg: keyserver refresh failed: Operation not permitted
==> ERROR: A specified local key could not be updated from a keyserver.

So I decided to ping pool.sks-keyservers.net, get the ip and update my /etc/hosts then add another exception for my iptables. But each time I got another ip from my ping. Although this is really uncomfortable for me, I enable all outgoing 11371 ports:
-A OUTPUT -p tcp -m tcp --dport 11371 -j ACCEPT
-A OUTPUT -p udp -m udp --dport 11371 -j ACCEPT

But still error is same. How can I verify pgp keys behind firewall? And if possible can I achieve it by allowing only one key server? (Although I am not sure if it is safe to use only one key server)

Offline

#2 2019-09-11 19:47:24

Swiggles
Member
Registered: 2014-08-02
Posts: 259

Re: Iptables configuration and pgp keyservers

Isn't it actually quite unsafe to do it this way? I mean due to DNSSEC this sounds like bad practice.
Anyway to explain the changing IP address you should use proper tools to extract the record:

dig pool.sks-keyservers.net
dig pool.sks-keyservers.net ANY

When you carefully examine the output you will see why your approach doesn't work here.

I suspect once you add all A records it might already work. If not start by debugging your rules:
https://wiki.archlinux.org/index.php/iptables#Logging

Last edited by Swiggles (2019-09-11 19:51:11)

Offline

#3 2019-09-11 21:05:39

vlmrgn
Member
Registered: 2019-09-11
Posts: 3

Re: Iptables configuration and pgp keyservers

Thanks for quick reply Swiggles, can you explain which part is unsafe? Managing /etc/hosts manually? I thought even if I enable dns and configure iptables on a domain like this:
iptables -A OUTPUT -p tcp -d domain --dport 443 -j ACCEPT
it would still get ip address of domain in the time that I run the command. Am I wrong on this one?

For test purposes I enabled dns btw, and now my keyserver works fine. But I'd still love to enable just couple of domains manually if it is not a security issue.
And I'd love to learn if there is anything I need to do to improve my security & way of work.

Last edited by vlmrgn (2019-09-11 21:11:17)

Offline

#4 2019-09-11 21:47:52

Swiggles
Member
Registered: 2014-08-02
Posts: 259

Re: Iptables configuration and pgp keyservers

Disclaimer: This includes a big IMO!

The problem with managing IPs manually in your hosts file for zones you do not control (i.e. the whole internet) is that it relies on some partially wrong assumptions:

  1. A name (including fqdn) always maps to a single IP -> A record can and does have multiple valid addresses

  2. An IP never changes -> I would assume it is the exception, although in practice business addresses are mostly static

  3. An IP is always trustworthy once verified -> Another service not related to the original target could take hold of the address, required updates are not received

  4. Proxies, load balancers, forwarders etc do not exist -> They do :-)

  5. An application might request additional resources from another endpoint -> This is what you might actually want to prevent

DNS solves most of these issues already and when you add DNSSEC on top you can be sure that the address belongs to whoever says it does, because only the domain/zone owner can produce a valid signature.

Without definitive analysis of the logs I would assume your original issue is a combination of points 1 and 4.
I assume 5 is your desired behavior, but it requires knowledge about the application and target service, otherwise it will just break.

So my advice for a machine with WAN access is to whitelist domains (filter) and use the facilities of DNS. Use stateful iptables for inbound connections and only add your desired services besides that. I think it is overall easier to manage and in some circumstances even more secure with one caveat: It allows any direct IP connection from inside unless you always perform a reverse lookup first.

Offline

Board footer

Powered by FluxBB