Re: iptables and apt

To: Jan Tammen <jan.tammen@et-inf.fho-emden.de>
Cc: <debian-firewall@lists.debian.org>
Subject: Re: iptables and apt
From: Tzafrir Cohen <tzafrir@technion.ac.il>
Date: Fri, 23 Nov 2001 21:29:50 +0200 (IST)
Message-id: <[🔎] Pine.GSO.4.33_heb2.09.0111232125290.8042-100000@techunix.technion.ac.il>
In-reply-to: <[🔎] 20011122182513.A1683@tammen.net>

On Thu, 22 Nov 2001, Jan Tammen wrote:

> Hi,
> I set up the following rules to allow ftp with my iptables-based
> packetfilter:
>
> iptables -A INPUT -i $PPP_IFACE -p tcp ! --syn --sport 20 --dport \
> $UNPRIVPORTS -m state --state RELATED,ESTABLISHED -j ACCEPT
> iptables -A INPUT -i $PPP_IFACE -p tcp ! --syn --sport 21 --dport \
> $UNPRIVPORTS -m state --state RELATED,ESTABLISHED -j ACCEPT
> iptables -A INPUT -i $PPP_IFACE -p tcp ! --syn --dport 20 -j ACCEPT \
> iptables -A INPUT -i $PPP_IFACE -p tcp --dport 21 -j ACCEPT
>
> Where PPP_IFACE is my external interface an UNPRIVPORTS = 1024:65535.
> Trying to update my box via apt-get (on the 'firewall'-host), the
> connection to the server is not established and I get these errors:

(You better use HTTP, as someone else has already noted)

>
> IN=ippp0 OUT= MAC= SRC=141.76.2.4 DST=217.224.116.100 LEN=60 TOS=0x00 \
> PREC=0x00 TTL=54 ID=0 DF PROTO=TCP SPT=48685 DPT=1141 WINDOW=5712 \
> RES=0x00 ACK SYN URGP=0
> ...
>
> What to do?

Have you loaded the ftp masquerading module?

That modules tracks ftp control connections, and allows relevant data
connection. Without it you can't use outgoing active-mode ftp, and have to
use passive-mode ftp.

-- 
Tzafrir Cohen
mailto:tzafrir@technion.ac.il
http://www.technion.ac.il/~tzafrir

Reply to:

References:
- iptables and apt
  - From: Jan Tammen <jan.tammen@et-inf.fho-emden.de>

Prev by Date: Re: Auto starting iptables
Next by Date: [OT] list bounce message
Previous by thread: Re: iptables and apt
Next by thread: Auto starting iptables
Index(es):
- Date
- Thread