# Configuring IPTables to Allow Portage Sync

## wswartzendruber

Here's the current IPTables script:

```
#!/bin/sh

IPTABLES='/sbin/iptables'

# Flush rules and delete chains.

$IPTABLES -F

$IPTABLES -X

# Allow all traffic on local loopback interface.

$IPTABLES -A INPUT -i lo -j ACCEPT

# Block out all other Internet access on all adapters.

$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

$IPTABLES -A INPUT -j DROP
```

Here's the output:

```
>>> Starting rsync with rsync://134.68.220.73/gentoo-portage...

>>> Checking server timestamp ...

Welcome to raven.gentoo.org

 

Server Address : 134.68.220.73

Contact Name   : mirror-admin@gentoo.org

Hardware       : 2 x Intel(R) Xeon(TM) CPU 1700MHz, 2019MB RAM

 

Please note: common gentoo-netiquette says you should not sync more

than once a day.  Users who abuse the rsync.gentoo.org rotation

may be added to a temporary ban list.

MOTD autogenerated by update-rsync-motd on Sun Oct 14 03:24:55 UTC 2007

receiving file list ... done

timestamp.chk

timed out

rsync error: received SIGINT, SIGTERM, or SIGHUP (code 20) at rsync.c(503) [generator=3.0.0pre9]

rsync error: received SIGUSR1 (code 19) at main.c(1317) [receiver=3.0.0pre9]
```

Help?

----------

## Stolz

```
iptables -A INPUT -p tcp --sport rsync -j ACCEPT
```

  :Question: 

----------

## wswartzendruber

 *Stolz wrote:*   

> 
> 
> ```
> iptables -A INPUT -p tcp --sport rsync -j ACCEPT
> ```
> ...

 

Nope, no go.  I put it right above the DROP line.

Thanks for the reply, though.   :Smile: 

----------

## Stolz

Well, I don't have much experience with iptables and I don't know what are your needs but a first approach could be:

```
#!/bin/sh

IPTABLES='/sbin/iptables'

# Flush rules and delete chains.

$IPTABLES -F

$IPTABLES -X

# By defaul block all incoming, allow all outgoing

$IPTABLES -P INPUT DROP

$IPTABLES -P FORWARD DROP

$IPTABLES -P OUTPUT ACCEPT

# Here you can choose 2 options to control the incoming connections

# 1.- Use only one rule to accept network packets that are part of an established or related connection initiated by you. Easy to configure but you have less control

$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# 2.- Accept only specific network packets (uncomment the rules for your convenience). You need several rules but you get more control

# Accept RSYNC

# $IPTABLES -A INPUT -p tcp --sport rsync -j ACCEPT

# Accept DNS

# $IPTABLES -A INPUT -p udp --sport domain -j ACCEPT

# Accept HTTP & HTTPs

# $IPTABLES -A INPUT -p tcp --sport http -j ACCEPT

# $IPTABLES -A INPUT -p tcp --sport https -j ACCEPT

# Accept SSH

# $IPTABLES -A INPUT -p tcp --sport ssh -j ACCEPT

# Accept PING

# $IPTABLES  -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT

# Others...

```

BTW, Gentoo can handle your iptables rules, you don't need a script, just run:

```
# /etc/init.d/iptables start

# (enter your rules here)

# /etc/init.d/iptables save

# rc-update add iptables default
```

Hope it helps

----------

## mmoufid

```
iptables -A OUTPUT -p tcp --dport rsync --syn -m state --state NEW -j ACCEPT
```

----------

