[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Antwort: iptables and apt-get

Hello Thomas,

Problem solved.

You were quite right.  Apt defaults to passive so I added a bit to
apt.conf like this:-

  Retries "0";
  ftp {
        Timeout "120";
        Passive "false";
        Pipeline-Depth "2";

Whether or not this is exactly correct I don't know (the syntax, I mean)
but apt now runs quite happily.  So I had all the other things, modules
etc, correct but was stumped by the passive bit.  Yet I could use ncftp in
passive mode.  I get very confused by all this.   : (

My script is based on a firewall by Brad Chapman, but his allowed only a
very few services so I have had to extend it quite considerably.  As I'm
still a beginner at iptables I am using a trial and error process and it
may be weeks yet before I am confident with it.  But at that point I
intend to post it here for comments.

Instead of having one "-m state" rule Brad has a separate one for each
service.  I have followed his lead without quite knowing just what is
gained.  Maybe it limits what an intruder can do if he does get into the

The script will be used for my little network at home, for three small
businesses and for three schools.  So it needs to be fairly robust.  It
surprises me that such scripts are in very short supply on the Internet.
Or at least I have had very little success in finding a good one that is
simple to understand.

So I am indebted to you for your support and very much appreciate the
help.  Thanks also to Michael Wood and Raffael Ferenc for their

grandfather, ex pilot and Linux enthusiast

On Mon, 10 Sep 2001 Thomas.Sudbrak@stockhausen.com wrote:

> Hallo Lindsay,
> the problem is, as far as I know, that with passive ftp the client and
> server negotiate some port numbers over the already established control
> channel (port 21) and then start the data connection using these ports
> previously agreed upon.  So you cannot really set up an explicite firewall
> rule for passive ftp.
> The iptables mechanism provides a solution to this problem.  I assume that
> you are using kernel-2.4.x from the output of your log.  Make sure that the
> following module is loaded into the kernel:
>      ip_conntrack_ftp
> and then add the following statement to the list of your rules:
>      iptables -A INPUT -m state --state ESTABLISHED,RELATED
>      iptables -A OUTPUT -m state --state ESTABLISHED,RELATED
> which enables all packets belonging to established connections (e.g. all
> TCP packets except the very first sync packet, packets answering DNS
> requests, ICMP host unreachable ...) and also packets which are related to
> established connections (e.g. ftp data packets).  The kernels nicely keeps
> track of all connections, provided this support is compiled in or loaded as
> a module, and can also handle ftp data packets if the above mentioned
> module ip_conntrack_ftp is loaded.  As ftp has to be dealt with in a
> special way when it comes to address translation, the module ip_nat_ftp
> also has to be loaded if you want to do some NAT (redirection, explicite
> NAT, masquerading).
> Hope this helps.
> Thomas
> Lindsay Allen <allen@cleo.murdoch.edu.au>@elm.cbcfreo.wa.edu.au> am
> 09.09.2001 04:33:03
> Gesendet von:  Lindsay Allen <allen@elm.cbcfreo.wa.edu.au>
> An:    <debian-firewall@lists.debian.org>
> Kopie:
> Thema: iptables and apt-get
> Hello all,
> My home-brew iptables firewall has a problem with apt-get using the ftp
> method.  I get this sort of thing in the log:-
> Sep  9 10:19:21 elm kernel: OUTPUT_DENY_ALL:IN= OUT=ppp0 SRC=
> DST= LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=0 PROTO=TCP SPT=3299
> DPT=51738 WINDOW=5840 RES=0x00 SYN URGP=0
> As you can see the packet to the mirror has
>    SPT     3299
>    DPT  51738
> neither of which is a well known port.
> I can use ncftp ok with passive set either on or off.  So just what is
> happening here?  The port numbers change with each invocation of
> apt-get, so a specific rule is not possible.  How can I fix it?
> Any help will be much appreciated.
> Lindsay


Lindsay Allen   <allen@cleo.murdoch.edu.au>    Perth, Western Australia
voice +61 8 9316 2486, 0403 272 564   32.0125S 115.8445E   Debian Linux

Reply to: