Re: iptables and apt-get

To: <debian-security@lists.debian.org>
Subject: Re: iptables and apt-get
From: Victor Calzado Mayo <vcalzado@cnio.es>
Date: Tue, 11 Mar 2003 17:15:04 +0100
Message-id: <[🔎] 200303111715.05132@asterisios>
In-reply-to: <[🔎] 011c01c2e7dd$423c6c40$650a10ac@EVESHAM>
References: <[🔎] 001601c2e767$8f1040d0$650a10ac@EVESHAM> <[🔎] 20030311135929.789d01de.vdongen@hetisw.nl> <[🔎] 011c01c2e7dd$423c6c40$650a10ac@EVESHAM>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi there
On Tuesday 11 March 2003 15:48, Ian Goodall wrote:
> All is fine now. Adding the line:
>
> iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
>
> fixes the problem. Does anyone know what this line does? I found this using
> an online script generator at http://www.iptables.1go.dk/index1.php.

You are probably using some ftp server in your sources.list, ftp and probably 
you are using the so called active ftp, in this kind of connections server 
itselft initiate data transfers conection with the client host ( so , SYNs 
are sended directly from server to client, and in a fiweralled enviroment 
they are dropped.

The added rule takes care of this kind of conections telling iptables that 
SYNs sended from the ftp server to the client host are related to a 
established ftp conection opened from the client host to the server and 
should be permited ( even when they come with a SYN request from the server) 
( it acts like a state module ( somehow related to ip_masq modules tu ftp, 
quake o irc ) that ensure that this kind or conections ( that used a range of 
ports higher than 1023 , but not asigned until the conection is established ) 

I' ll hope it helps, excuse my english and have a look to Netfilter Howto, any 
good page about ftp server in firewalled enviroments will help to. Have a 
look at:
 
http://slacksite.com/other/ftp.html

And if you are very very interesting you can allways look for the ftp rfc.

>
> Thanks for all your help. This is the sort of thing that this list should
> be used for instead of debating what should be on it / other spam :)
> ----- Original Message -----


Kind Regards
Victor


> From: "I.R.van Dongen" <vdongen@hetisw.nl>
> To: "Ian Goodall" <ijg@iangoodall.co.uk>
> Cc: <debian-security@lists.debian.org>
> Sent: Tuesday, March 11, 2003 12:59 PM
> Subject: Re: iptables and apt-get
>
> > iptables -A OUTPUT -p tcp -d <mirror>/32 --dport 80 -j ACCEPT
> >
> > On Tue, 11 Mar 2003 00:45:48 -0000
> >
> > "Ian Goodall" <ijg@iangoodall.co.uk> wrote:
> > > Hi Guys,
> > >
> > > I am setting up iptables on my debain woody box. I have decided to
> > > close
>
> everyting and then open up just ssh and ssl. This obviously prevents my
> apt-get update from working. What ports do I need to open for this to work.
> If it helps I am going through a proxy to get to the internet.
>
> > > Thanks
> > >
> > > ijg0
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE+bguJEzqHF8R72ekRApCeAJ9xBSZUqs/4anueP+qUXevmwLMEdQCfTg43
NBzKsI3G9/3SKJN8+N2J540=
=opBe
-----END PGP SIGNATURE-----

Reply to:

References:
- iptables and apt-get
  - From: "Ian Goodall" <ijg@iangoodall.co.uk>
- Re: iptables and apt-get
  - From: I.R.van Dongen <vdongen@hetisw.nl>
- Re: iptables and apt-get
  - From: "Ian Goodall" <ijg@iangoodall.co.uk>

Prev by Date: Re: iptables and apt-get
Next by Date: Mailing lists/Newsgroups 101 (was OT: Consensus)
Previous by thread: Re: iptables and apt-get
Next by thread: RE: iptables and apt-get
Index(es):
- Date
- Thread