Firewall settings for webhook towards Jenkins

Hello,

If been trying to setup webhooks to automate jenkins builds since few ‘days’ (not continuously of course) but miserably failed.

Environment: Debian 10.11

My jenkins server resides behind an nginx reverse proxy (a 2nd physical host) which serves as the SSL frontend so it’s used to do a portforwarding of the SSL port towards default 8080 port. On the nginx server/reverse proxy I have a firewall setup which blocks everything except for IP’s that I allow.
If I disable firewall on the nginx server everything works as expected.
Firewall enabled: “Failed to connect to host” as result in the github webhooks recent deliveries.
So the missing link are the correct firewall settings imho.

I have found the meta page (https://api.github.com/meta) and added the subnets from the “hooks” section with no limitation on port or protocol.
The incoming address (with the firewall off) is 140.82.115.146 which is part of the 140.82.112.0/22 as found on the meta page. I have added that address explicitly in the firewall rules, but to no avail.

EDIT added ufw status numbered ouput:

> [68] Anywhere                   ALLOW IN    192.30.252.0/22           
> [69] Anywhere                   ALLOW IN    185.199.108.0/22          
> [70] Anywhere                   ALLOW IN    140.82.112.0/20           
> [71] Anywhere                   ALLOW IN    143.55.64.0/20            
> [72] Anywhere                   ALLOW IN    140.82.115.146

I am most confident that someone here has already put in place the same setup, so if he/she can shed some light or give a hint I would be most grateful.

Yes read about things like smee.io but I don’t want to add another hop for something this trivial.

kind regards,
DragonPi

The issue in the end was in the rule hierarchy.

As mentioned my nginx server blocks everything (DROP) based on CIDR zone list I fetch from the internet.
A bash script weekly updates the before.rules accordingly together with fail2ban etc…

Anyway the extra rules I added as mentioned in the opening post where applied AFTER I already dropped the packages… so they never made it in obviously.
Adapted my bash script to skip the creation of the DROP rule for the IP’s delivered by the Github API.

All works well now.