Gitlab pushing via https doesnt succed because of iptables -
i installed gitlab-omnibus bundle , opened iptables port 80, 443, 9418 , temp. 22. why doesn't pushing via https work? when put iptables in default open works. here rules 80, 443, 22 , 9418
# 1. allow incoming http $iptables -a input -p tcp --dport 80 -j accept $iptables -a output -p tcp --sport 80 -j accept # 2. allow outgoing http $iptables -a output -p tcp --dport 80 -j accept $iptables -a input -p tcp --sport 80 -j accept # allow incoming https $iptables -a input -p tcp --dport 443 -j accept $iptables -a output -p tcp --sport 443 -j accept # 10. allow outgoing https $iptables -a output -p tcp --dport 443 -j accept $iptables -a input -p tcp --sport 443 -j accept # allow git $iptables -a output -p tcp --dport 9418 -j accept $iptables -a input -p tcp --sport 9418 -j accept #ssh: client --> server $iptables -a input -p tcp --dport 22 -j accept $iptables -a output -p tcp --sport 22 -j accept the result is:
pushing https://tld/user/repo.git post git-receive-pack (448 bytes) and freezes. need open else?
i tried logging dropped packages there nothing ip?
i hope can me..
ok here rules logging:
#logging $iptables -n logging $iptables -a input -j logging $iptables -a output -j logging $iptables -a logging -m limit --limit 2/min -j log --log-prefix "iptables-dropped: " --log-level 4 $iptables -a logging -j drop and here output:
# generated iptables-save v1.4.21 on thu nov 13 18:43:13 2014 *filter :input drop [0:0] :forward drop [0:0] :output drop [0:0] :logging - [0:0] -a input -p icmp -j accept -a input -p udp -m udp --sport 53 -m state --state related,established -j accept -a input -p tcp -m tcp --dport 80 -j accept -a input -p tcp -m tcp --sport 80 -j accept -a input -p tcp -m tcp --dport 443 -j accept -a input -p tcp -m tcp --sport 443 -j accept -a input -s 10.20.0.0/16 -p tcp -m tcp --dport 22 -j accept -a input -p tcp -m tcp --sport 80 -j accept -a input -p tcp -m tcp --sport 37655 -j accept -a input -p tcp -m tcp --sport 9418 -j accept -a input -j logging -a output -p icmp -j accept -a output -p udp -m udp --dport 53 -j accept -a output -p tcp -m tcp --sport 80 -j accept -a output -p tcp -m tcp --dport 80 -j accept -a output -p tcp -m tcp --sport 443 -j accept -a output -p tcp -m tcp --dport 443 -j accept -a output -d 10.20.0.0/16 -p tcp -m tcp --sport 22 -j accept -a output -p tcp -m tcp --dport 80 -j accept -a output -p tcp -m tcp --dport 37655 -j accept -a output -p tcp -m tcp --dport 9418 -j accept -a output -j logging -a logging -m limit --limit 2/min -j log --log-prefix "iptables-dropped: " -a logging -j drop -a logging -m limit --limit 2/min -j log --log-prefix "iptables-dropped: " -a logging -j drop -a logging -m limit --limit 2/min -j log --log-prefix "iptables-dropped: " -a logging -j drop -a logging -m limit --limit 2/min -j log --log-prefix "iptables-dropped: " -a logging -j drop commit
#devices dev0=eth0 #internal network int_net=xxx.xxx.0.0/16 int_net_secure=xxx.xxx.xxx.0/24 #external network ext_net=xxx.xxx.xxx.0/24 #path iptables iptables=/sbin/iptables #path modprobe modprobe=/sbin/modprobe case $1 in start) $0 stop echo "start ip-package-filter" # iptables-modul $modprobe ip_tables # connection-tracking-module $modprobe ip_conntrack $modprobe ip_conntrack_ftp $modprobe ip_nat_ftp $modprobe iptable_nat #standard-policy - deny except want $iptables -p input drop $iptables -p output drop $iptables -p forward drop #slows down icmp packages echo "5" >/proc/sys/net/ipv4/icmp_ratelimit #kills packages source route option echo "0">/proc/sys/net/ipv4/conf/$dev0/accept_source_route #kills icmp forwarding echo "0">/proc/sys/net/ipv4/conf/$dev0/accept_redirects #kills spoofed packages echo "1" > /proc/sys/net/ipv4/conf/$dev0/rp_filter #kills packages 0.x.x.x echo "0" > /proc/sys/net/ipv4/conf/eth0/bootp_relay # tcp-fin-timeout (dos-attack) echo 30 > /proc/sys/net/ipv4/tcp_fin_timeout #tcp-syn max 3 answers echo 3 > /proc/sys/net/ipv4/tcp_retries1 #tcp-package max 15x repetitions echo 15 > /proc/sys/net/ipv4/tcp_retries2 #loopback-communication $iptables -a input -i lo -s 127.0.0.1 -d 127.0.0.1 -j accept $iptables -a output -o lo -s 127.0.0.1 -d 127.0.0.1 -j accept #icmp: client <--> server $iptables -a input -p icmp --icmp-type echo-request -m state --state new -j accept $iptables -a output -p icmp --icmp-type echo-request -m state --state new -j accept #dns: server --> dns-server $iptables -a output -p udp --dport 53 -m state --state new -j accept $iptables -a output -p tcp --dport 53 -m state --state new -j accept # allow incoming http $iptables -a input -p tcp --dport 80 -m state --state new -j accept # allow incoming https $iptables -a input -p tcp --dport 443 -m state --state new -j accept #ssh: client --> server (internal) $iptables -a input -s $int_net -p tcp --dport 22 -m state --state new -j accept #ssh: client --> server #$iptables -a input -p tcp --dport 22 -j accept #$iptables -a output -p tcp --sport 22 -j accept #update (apt) $iptables -a output -p tcp --dport 80 -m state --state new -j accept #teamdrive $iptables -a input -p tcp --dport 37655 -m state --state new -j accept #git $iptables -a input -p tcp --dport 9418 -m state --state new -j accept #connection-tracking input , output chain $iptables -a input -m state --state established,related -j accept $iptables -a output -m state --state established,related -j accept #logging $iptables -n logging $iptables -a input -j logging $iptables -a output -j logging $iptables -a logging -m limit --limit 2/min -j log --log-prefix "iptables-dropped: " --log-level 4 $iptables -a logging -j drop echo "firewall activated" ;; stop) $iptables -f input $iptables -f output $iptables -f forward ;; restart) $0 start ;; *) echo "usage: $0 {startwd|stop|restart}" ;; esac 
Comments
Post a Comment