On Thu, 22 Nov 2001, Jan Tammen wrote: > Hi, > I set up the following rules to allow ftp with my iptables-based > packetfilter: > > iptables -A INPUT -i $PPP_IFACE -p tcp ! --syn --sport 20 --dport \ > $UNPRIVPORTS -m state --state RELATED,ESTABLISHED -j ACCEPT > iptables -A INPUT -i $PPP_IFACE -p tcp ! --syn --sport 21 --dport \ > $UNPRIVPORTS -m state --state RELATED,ESTABLISHED -j ACCEPT > iptables -A INPUT -i $PPP_IFACE -p tcp ! --syn --dport 20 -j ACCEPT \ > iptables -A INPUT -i $PPP_IFACE -p tcp --dport 21 -j ACCEPT > > Where PPP_IFACE is my external interface an UNPRIVPORTS = 1024:65535. > Trying to update my box via apt-get (on the 'firewall'-host), the > connection to the server is not established and I get these errors:
(You better use HTTP, as someone else has already noted) > > IN=ippp0 OUT= MAC= SRC=141.76.2.4 DST=217.224.116.100 LEN=60 TOS=0x00 \ > PREC=0x00 TTL=54 ID=0 DF PROTO=TCP SPT=48685 DPT=1141 WINDOW=5712 \ > RES=0x00 ACK SYN URGP=0 > ... > > What to do? Have you loaded the ftp masquerading module? That modules tracks ftp control connections, and allows relevant data connection. Without it you can't use outgoing active-mode ftp, and have to use passive-mode ftp. -- Tzafrir Cohen mailto:[EMAIL PROTECTED] http://www.technion.ac.il/~tzafrir
