:: gem list -remote :: iptables configuration

Question

Once I locked down my VPS server with iptables meaning I only have a few selected ports opened for input access, my Gem command stopped working and I'm not sure what I'm doing wrong.

This is a two fold question.

1st. This is the command run at the command line for Gem.

gem list -r

Before, it displayed a list of remote gems available for installation, now it stalls out, unless I open all the ports through iptables again. I have read in a couple of places to open up port 443, but the examples I saw were quite foreign to me and what I did try to take from it, didn't work. So does anyone have any idea? Here is an output of my iptables settings.

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination         
1      193 14308 ACCEPT     tcp  --  eth0   *       0.0.0.0/0            0.0.0.0/0            tcp dpt:22
2        0     0 ACCEPT     tcp  --  eth0   *       0.0.0.0/0            0.0.0.0/0            tcp dpt:80
3        0     0 ACCEPT     tcp  --  eth0   *       0.0.0.0/0            0.0.0.0/0            tcp dpt:81
4        0     0 ACCEPT     tcp  --  eth0   *       0.0.0.0/0            0.0.0.0/0            tcp dpt:82
5        0     0 ACCEPT     tcp  --  eth0   *       0.0.0.0/0            0.0.0.0/0            tcp dpt:8080
6        0     0 ACCEPT     tcp  --  eth0   *       0.0.0.0/0            0.0.0.0/0            tcp dpt:8090
7        0     0 ACCEPT     tcp  --  eth0   *       0.0.0.0/0            0.0.0.0/0            tcp dpt:443
8       28  2214 LOGGING    all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 154 packets, 16540 bytes)
num   pkts bytes target     prot opt in     out     source               destination         

Chain LOGGING (1 references)
num   pkts bytes target     prot opt in     out     source               destination         
1       28  2214 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0            LOG flags 0 level 4 prefix "IPTables Dropped"
2       28  2214 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0

The second part of my question is, in the absence of documentation, how can I reveal which IP addresses and ports a program such as gem in this case, is accessing? I'm hoping there is some sort of program that I could type in a similar command as the following:

sandbox-wrap 'gem list -r'

And, watch the internet access information display on screen.

Thanks Iain for answering the question. For the rest of you, here is a copy of the new iptables with the correction. I added a new line to position number 1 of the filter table, INPUT chain.

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination         
1        7   488 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
2      700 50592 ACCEPT     tcp  --  eth0   *       0.0.0.0/0            0.0.0.0/0            tcp dpt:22
3        0     0 ACCEPT     tcp  --  eth0   *       0.0.0.0/0            0.0.0.0/0            tcp dpt:80
4        0     0 ACCEPT     tcp  --  eth0   *       0.0.0.0/0            0.0.0.0/0            tcp dpt:81
5        0     0 ACCEPT     tcp  --  eth0   *       0.0.0.0/0            0.0.0.0/0            tcp dpt:82
6        0     0 ACCEPT     tcp  --  eth0   *       0.0.0.0/0            0.0.0.0/0            tcp dpt:8080
7        0     0 ACCEPT     tcp  --  eth0   *       0.0.0.0/0            0.0.0.0/0            tcp dpt:8090
8        1    40 ACCEPT     tcp  --  eth0   *       0.0.0.0/0            0.0.0.0/0            tcp dpt:443
9       83  6958 LOGGING    all  --  *      *       0.0.0.0/0            0.0.0.0/0

user9517 · Accepted Answer · 2016-01-31T11:41:33.987

0

As configured I think your main problem is the DROP at the end of the LOGGING chain. It is dropping all packets that reach it. The gem command will be using a random ephemeral port to make the connection to the remote system. Packets will be returned to it and as you don't you only allow packets to explicit ports in your INPUT chain you are blocking them with the DROP.

It is normal to allow related / established connections by adding this early in the INPUT chain

iptables -I INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

That will allow packets in that are related to the outgoing gem connection.

edited Jan 31 '16 at 11:41

answered Jan 31 '16 at 10:45

user9517

115,471
20
215
297

Thanks a bunch Iain ! It worked ~~ !! I've been racking my head over this. I don't understand much about RELATED,or iptables states, but you've pointed me in the right direction for further study. – KitakamiKyle Jan 31 '16 at 11:30

:: gem list -remote :: iptables configuration

1 Answers1