Hi, my pi 3b runs octoprint and iptables as a firewall. The firewall is mandatory in my case.
The whole thing runs quite well, unfortunately I can't access the plugin repository via the plugin manager, normal updates work. Can someone tell me which ip port in/out the plugin manager needs to be able to work with the current
firewall to work?
Thank you very much.
Olav
The repo alone is not enough - sometimes you need also to download other dependencies from pypi.org.
Also the plugins aren't hosted in the repo - they're downloaded from github.
So if I'm not mistaken you need at least plugins.octoprint.org, github.com, files.pythonhosted.org and pypi.org on port 443
Thank you very much
it works now perfect ![:slight_smile: :slight_smile:](https://community.octoprint.org/images/emoji/apple/slight_smile.png?v=12)
If some one need my siptables ettings i can post my rules.v4
You're welcome to post it ![:slight_smile: :slight_smile:](https://community.octoprint.org/images/emoji/apple/slight_smile.png?v=12)
Future users will thank you ![:octopus: :octopus:](https://community.octoprint.org/images/emoji/apple/octopus.png?v=12)
OK
Here is my version of gthe iptables rules (ipv4) if your Octoprint installation must be in a network with ipadresses can reach wold wide. I use awhite list, ohny some maschines from 217.197.x.x
*filter
:INPUT DROP [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -s 217.197.81.0/25 -i eth0 -p tcp -m tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
-A INPUT -s 217.197.81.0/25 -i wlan0 -p tcp -m tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
-A INPUT -s 217.197.81.0/25 -i lo -p tcp -m tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
#-A INPUT -p tcp -m tcp --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT
#-A INPUT -p tcp -m tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
# web port sperren
-A INPUT -s 217.197.81.0/25 -i eth0 -p tcp -m tcp --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT
-A INPUT -s 217.197.81.0/25 -i eth0 -p tcp -m tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
-A INPUT -s 217.197.81.0/25 -i wlan0 -p tcp -m tcp --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT
-A INPUT -s 217.197.81.0/25 -i wlan0 -p tcp -m tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
-A INPUT -s 217.197.81.0/25 -i lo -p tcp -m tcp --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT
-A INPUT -s 217.197.81.0/25 -i lo -p tcp -m tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
#
-A INPUT -s plugins.octoprint.org -i eth0 -p tcp -m tcp --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT
-A INPUT -s github.com -i eth0 -p tcp -m tcp --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT
-A INPUT -s pypi.org -i eth0 -p tcp -m tcp --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT
-A INPUT -s files.pythonhosted.org -i eth0 -p tcp -m tcp --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT
#
-A INPUT -s plugins.octoprint.org -i wlan0 -p tcp -m tcp --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT
-A INPUT -s github.com -i wlan0 -p tcp -m tcp --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT
-A INPUT -s pypi.org -i wlan0 -p tcp -m tcp --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT
-A INPUT -s files.pythonhosted.org -i wlan0 -p tcp -m tcp --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT
#
-A INPUT -s plugins.octoprint.org -i lo -p tcp -m tcp --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT
-A INPUT -s github.com -i lo -p tcp -m tcp --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT
-A INPUT -s pypi.org -i lo -p tcp -m tcp --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT
-A INPUT -s files.pythonhosted.org -i lo -p tcp -m tcp --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT
#
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
#-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
#-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 0 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A INPUT -p udp -m udp --sport 53 -j ACCEPT
-A INPUT -p tcp -m tcp --sport 53 -j ACCEPT
-A OUTPUT -p tcp -m tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT
-A OUTPUT -p tcp -m tcp --sport 443 -m state --state ESTABLISHED -j ACCEPT
-A OUTPUT -p tcp -m tcp --sport 80 -m state --state ESTABLISHED -j ACCEPT
-A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A OUTPUT -p icmp -m icmp --icmp-type 0 -j ACCEPT
-A OUTPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A OUTPUT -p udp -m udp --dport 53 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 53 -j ACCEPT
-A OUTPUT -o eth0 -p tcp -m tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT
-A OUTPUT -o lo -p tcp -m tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT
-A OUTPUT -o wlan0 -p tcp -m tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT
#
-A OUTPUT -o eth0 -p tcp -m tcp --sport 80 -m state --state ESTABLISHED -j ACCEPT
-A OUTPUT -o lo -p tcp -m tcp --sport 80 -m state --state ESTABLISHED -j ACCEPT
-A OUTPUT -o wlan0 -p tcp -m tcp --sport 80 -m state --state ESTABLISHED -j ACCEPT
-A OUTPUT -o eth0 -p tcp -m tcp --sport 443 -m state --state ESTABLISHED -j ACCEPT
-A OUTPUT -o lo -p tcp -m tcp --sport 443 -m state --state ESTABLISHED -j ACCEPT
-A OUTPUT -o wlan0 -p tcp -m tcp --sport 443 -m state --state ESTABLISHED -j ACCEPT
COMMIT
1 Like
You should be able to permit data from those sites as an "established connection" provided you initiate it from your side.