Re: iptables and apt-get
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi there
On Tuesday 11 March 2003 15:48, Ian Goodall wrote:
> All is fine now. Adding the line:
>
> iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
>
> fixes the problem. Does anyone know what this line does? I found this using
> an online script generator at http://www.iptables.1go.dk/index1.php.
You are probably using some ftp server in your sources.list, ftp and probably
you are using the so called active ftp, in this kind of connections server
itselft initiate data transfers conection with the client host ( so , SYNs
are sended directly from server to client, and in a fiweralled enviroment
they are dropped.
The added rule takes care of this kind of conections telling iptables that
SYNs sended from the ftp server to the client host are related to a
established ftp conection opened from the client host to the server and
should be permited ( even when they come with a SYN request from the server)
( it acts like a state module ( somehow related to ip_masq modules tu ftp,
quake o irc ) that ensure that this kind or conections ( that used a range of
ports higher than 1023 , but not asigned until the conection is established )
I' ll hope it helps, excuse my english and have a look to Netfilter Howto, any
good page about ftp server in firewalled enviroments will help to. Have a
look at:
http://slacksite.com/other/ftp.html
And if you are very very interesting you can allways look for the ftp rfc.
>
> Thanks for all your help. This is the sort of thing that this list should
> be used for instead of debating what should be on it / other spam :)
> ----- Original Message -----
Kind Regards
Victor
> From: "I.R.van Dongen" <vdongen@hetisw.nl>
> To: "Ian Goodall" <ijg@iangoodall.co.uk>
> Cc: <debian-security@lists.debian.org>
> Sent: Tuesday, March 11, 2003 12:59 PM
> Subject: Re: iptables and apt-get
>
> > iptables -A OUTPUT -p tcp -d <mirror>/32 --dport 80 -j ACCEPT
> >
> > On Tue, 11 Mar 2003 00:45:48 -0000
> >
> > "Ian Goodall" <ijg@iangoodall.co.uk> wrote:
> > > Hi Guys,
> > >
> > > I am setting up iptables on my debain woody box. I have decided to
> > > close
>
> everyting and then open up just ssh and ssl. This obviously prevents my
> apt-get update from working. What ports do I need to open for this to work.
> If it helps I am going through a proxy to get to the internet.
>
> > > Thanks
> > >
> > > ijg0
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org
iD8DBQE+bguJEzqHF8R72ekRApCeAJ9xBSZUqs/4anueP+qUXevmwLMEdQCfTg43
NBzKsI3G9/3SKJN8+N2J540=
=opBe
-----END PGP SIGNATURE-----
Reply to: