1

I've installed Stash, with the SVN mirror plugin - which installs subgit.

I have iptables setup something like:

Chain INPUT (policy DROP)
target     prot opt source               destination
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:7990
ACCEPT     tcp  --  yyy.yyy.yyy.yyy      anywhere             tcp spt:mysql
ACCEPT     udp  --  anywhere             anywhere             udp spt:domain
ACCEPT     all  --  xxx.xxx.xxx.xxx      anywhere
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:7999
ACCEPT     tcp  --  anywhere             anywhere             tcp spt:http state ESTABLISHED


Chain FORWARD (policy DROP)
target     prot opt source               destination

Chain OUTPUT (policy DROP)
target     prot opt source               destination
ACCEPT     tcp  --  anywhere             yyy.yyy.yyy.yyy         tcp dpt:mysql
ACCEPT     tcp  --  anywhere             anywhere             tcp spt:ssh state ESTABLISHED
ACCEPT     tcp  --  anywhere             anywhere             tcp spt:7990
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:38724
ACCEPT     all  --  anywhere             xxx.xxx.xxx.xxx
ACCEPT     tcp  --  anywhere             anywhere             tcp spt:7999
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:http state NEW,ESTABLISHED

Where xxx.xxx.xxx.xxx is the IP of SVN server. The initial sync works with these settings. But when I commit to SVN, the changes won't come through. If I change the policy of INPUT and OUTPUT to ACCEPT, the changes instantly sync. So what else do I need to allow?

SQB
  • 3,926
  • 2
  • 28
  • 49
wkstar
  • 255
  • 4
  • 17

2 Answers2

2
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

Did it.

wkstar
  • 255
  • 4
  • 17
1

I would not be able to help with the exact iptables configuration, but for SVN Mirror Add-On (and for SubGit) the following is correct:

1) SubGit requires full access to Subversion project it mirrors.

From the protocol perspective it need to be able to access target Subversion repository over http(s) (port 80 or 443) or svn protocol (port 3690). Access here means to establish connection with a Subversion repository host at port and then send and receive data over established connection. That is what iptables rules should allow.

See this post for details on ports Subversion uses for different protocols: what ports need to be open for svn tortoise to authenticate (clear text) and commit

2) SubGit launches a background process and communicates with it over tcp protocol.

That communication only involves localhost and port is randomly selected from those available at the moment for particular user. So your iptables rules should allow any ports to be opened and accessed on the localhost from the localhost.

Hope that helps!

Community
  • 1
  • 1
Alexander Kitaev
  • 695
  • 6
  • 8