How to add iptable rules for PHP Composer to work

If you’re working in a restricted server environment where default iptable rules are to deny all outbound traffic and want to allow access to composer repositories.

Here’s what you need to do to get everything working. This includes access to composer.phar, https://packagist.org and GitHub for hosted packages.

You can grab the Github IPs from https://api.github.com/meta and then on commandline add the following rules to your iptables rule file.

# Allow outbound access to fetch composer.phar from https://getcomposer.org
-A OUTPUT -p tcp -d 54.36.53.46 -dport 443 -j ACCEPT
# Packagist Repository for composer https://repo.packagist.org
-A OUTPUT -p tcp -d 54.37.131.18 -dport 443 -j ACCEPT
-A OUTPUT -p tcp -d 54.37.2.184 -dport 443 -j ACCEPT
-A OUTPUT -p tcp -d 54.38.136.239 -dport 443 -j ACCEPT
# Github IPs
# api.github.com
-A OUTPUT -p tcp -d 192.30.253.116/31 -dport 443 -j ACCEPT
# codeload.github.com
-A OUTPUT -p tcp -d 192.30.253.120/31 -dport 443 -j ACCEPT
# git over https
-A OUTPUT -p tcp -d 192.30.252.0/22 -dport 443 -j ACCEPT
-A OUTPUT -p tcp -d 185.199.108.0/22 -dport 443 -j ACCEPT
-A OUTPUT -p tcp -d 140.82.112.0/20 -dport 443 -j ACCEPT
-A OUTPUT -p tcp -d 13.229.188.59/32 -dport 443 -j ACCEPT
-A OUTPUT -p tcp -d 13.250.177.223/32 -dport 443 -j ACCEPT
-A OUTPUT -p tcp -d 18.194.104.89/32 -dport 443 -j ACCEPT
-A OUTPUT -p tcp -d 18.195.85.27/32 -dport 443 -j ACCEPT
-A OUTPUT -p tcp -d 35.159.8.160/32 -dport 443 -j ACCEPT
-A OUTPUT -p tcp -d 52.74.223.119/32 -dport 443 -j ACCEPT

I also noticed that by default composer.phar was downloading packages over http rather than https. This was easy to find out since I had only opened 443 ports 😉.

This is how to force HTTPS use for packagist repositories on composer. Since allow_ssl_downgrade=false option didn’t seem to work.

Use the following to redefine the packagist repositories with https:

$ php composer.phar config — global repositories.packagist composer https://packagist.org
# OR add this to your composer.json
{
    "repositories" : [{
            "type" : "composer",
            "url" : "https://repo.packagist.org",
            "allow_ssl_downgrade": false
        }
    ]
}