Plugin manager and iptables firewall

Hi, my pi 3b runs octoprint and iptables as a firewall. The firewall is mandatory in my case.

The whole thing runs quite well, unfortunately I can't access the plugin repository via the plugin manager, normal updates work. Can someone tell me which ip port in/out the plugin manager needs to be able to work with the current
firewall to work?
Thank you very much.

Olav

The repo alone is not enough - sometimes you need also to download other dependencies from pypi.org.
Also the plugins aren't hosted in the repo - they're downloaded from github.

So if I'm not mistaken you need at least plugins.octoprint.org, github.com, files.pythonhosted.org and pypi.org on port 443

Thank you very much it works now perfect

If some one need my siptables ettings i can post my rules.v4

You're welcome to post it

Future users will thank you

OK Here is my version of gthe iptables rules (ipv4) if your Octoprint installation must be in a network with ipadresses can reach wold wide. I use awhite list, ohny some maschines from 217.197.x.x

*filter
:INPUT DROP [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -s 217.197.81.0/25 -i eth0 -p tcp -m tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
-A INPUT -s 217.197.81.0/25 -i wlan0 -p tcp -m tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
-A INPUT -s 217.197.81.0/25 -i lo -p tcp -m tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
#-A INPUT -p tcp -m tcp --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT
#-A INPUT -p tcp -m tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
#  web port sperren 
-A INPUT -s 217.197.81.0/25 -i eth0 -p tcp -m tcp --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT
-A INPUT -s 217.197.81.0/25 -i eth0 -p tcp -m tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
-A INPUT -s 217.197.81.0/25 -i wlan0 -p tcp -m tcp --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT
-A INPUT -s 217.197.81.0/25 -i wlan0 -p tcp -m tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
-A INPUT -s 217.197.81.0/25 -i lo -p tcp -m tcp --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT
-A INPUT -s 217.197.81.0/25 -i lo -p tcp -m tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
#
-A INPUT -s plugins.octoprint.org -i eth0 -p tcp -m tcp --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT
-A INPUT -s  github.com -i eth0 -p tcp -m tcp --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT
-A INPUT -s  pypi.org -i eth0 -p tcp -m tcp --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT
-A INPUT -s  files.pythonhosted.org -i eth0 -p tcp -m tcp --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT
#
-A INPUT -s plugins.octoprint.org -i wlan0 -p tcp -m tcp --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT
-A INPUT -s  github.com -i wlan0 -p tcp -m tcp --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT
-A INPUT -s  pypi.org -i wlan0 -p tcp -m tcp --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT
-A INPUT -s  files.pythonhosted.org -i wlan0 -p tcp -m tcp --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT
#
-A INPUT -s plugins.octoprint.org -i lo -p tcp -m tcp --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT
-A INPUT -s  github.com -i lo -p tcp -m tcp --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT
-A INPUT -s  pypi.org -i lo -p tcp -m tcp --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT
-A INPUT -s  files.pythonhosted.org -i lo -p tcp -m tcp --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT
#
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
#-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
#-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 0 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A INPUT -p udp -m udp --sport 53 -j ACCEPT
-A INPUT -p tcp -m tcp --sport 53 -j ACCEPT
-A OUTPUT -p tcp -m tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT
-A OUTPUT -p tcp -m tcp --sport 443 -m state --state ESTABLISHED -j ACCEPT
-A OUTPUT -p tcp -m tcp --sport 80 -m state --state ESTABLISHED -j ACCEPT
-A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A OUTPUT -p icmp -m icmp --icmp-type 0 -j ACCEPT
-A OUTPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A OUTPUT -p udp -m udp --dport 53 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 53 -j ACCEPT
-A OUTPUT -o eth0 -p tcp -m tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT
-A OUTPUT -o lo -p tcp -m tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT
-A OUTPUT -o wlan0 -p tcp -m tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT
#
-A OUTPUT -o eth0 -p tcp -m tcp --sport 80 -m state --state ESTABLISHED -j ACCEPT
-A OUTPUT -o lo -p tcp -m tcp --sport 80 -m state --state ESTABLISHED -j ACCEPT
-A OUTPUT -o wlan0 -p tcp -m tcp --sport 80 -m state --state ESTABLISHED -j ACCEPT
-A OUTPUT -o eth0 -p tcp -m tcp --sport 443 -m state --state ESTABLISHED -j ACCEPT
-A OUTPUT -o lo -p tcp -m tcp --sport 443 -m state --state ESTABLISHED -j ACCEPT
-A OUTPUT -o wlan0 -p tcp -m tcp --sport 443 -m state --state ESTABLISHED -j ACCEPT
COMMIT

You should be able to permit data from those sites as an "established connection" provided you initiate it from your side.