-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
I've been working through an Iptables issue, and I found a solution, but
it doesn't seem quite right.
My problem was that I couldn't use FTP. More specifically, my Gentoo
package management system uses passive FTP to pull in some packages.
(I.e. source code.) I implement a DROP first, ask questions later
approach on the INPUT chain, and I've been stricter than I have been in
the past, so it is understandable that I'd need to open some more ports.
Then, I find out (thanks to a very helpful document at
http://slacksite.com/other/ftp.html) that for whatever weird reason,
allowing FTP is twice as complicated as allowing anything else. Because
of the random ports and the back and forth, I end up finally having to
add these two rules to make it work:
- -A INPUT -p tcp -m tcp --sport 21 --dport 1024:65535 -m state --state
ESTABLISHED -j ACCEPT
- -A INPUT -p tcp -m tcp --sport 1024:65535 --dport 1024:65535 -m state
- --state ESTABLISHED -j ACCEPT
Even though these are already ESTABLISHED connections, it just doesn't
quite please me. Basically, to make one service (passive FTP) work, I
have to allow any remote source port from 1024:65535 to have an
established connection to any local destination port from 1024:65535.
I mean, if I'm going to allow all that anyway, why don't I just have one
rule like so
- -A INPUT -p tcp -m tcp -m state --state ESTABLISHED -j ACCEPT
and say that all ESTABLISHED connections are okay?
- --
Christopher Howard
frigidcode.com
theologia.indicium.us
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.15 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAkxFKKIACgkQQ5FLNdi0BcW2KACfTuVtwce7G/MiI9nWhr5IyPu9
LGQAoJZW3pTHWTQ+ovX6EQczHEp4r7ms
=8T6K
-----END PGP SIGNATURE-----
---------
To unsubscribe, send email to <aklug-request@aklug.org>
with 'unsubscribe' in the message body.
Received on Mon Jul 19 20:41:51 2010
This archive was generated by hypermail 2.1.8 : Mon Jul 19 2010 - 20:41:51 AKDT