From: Noah Slater <nslater@gmail.com>
To: netfilter@lists.netfilter.org
Subject: Problem with APT-GET (ftp) and iptables
Date: Thu, 23 Dec 2004 17:59:21 +0000 [thread overview]
Message-ID: <9ea1c1180412230959363e647c@mail.gmail.com> (raw)
Hello,
I have a question regarding iptables and apt-get. I have a shell
script which is included at the bottom of this email which sets up
iptables for me. The only problem is that it is not managing to track
apt-get's ftp connections and prevents me from using it. I have
included a tail of /var/log/messages and the output when I try to run
apt-get.
It seems to be failing to let ftp connections back into my box.
I would be more than appreciative if someone could point out where I
am going wrong.
Thank you very much,
Noah Slater
----------------------------------------------------------------------
root@achilles:/home/noah $ apt-get update
Get:1 ftp://mirror.bytemark.co.uk stable/main Packages
Hit http://security.debian.org stable/updates/main Packages
Hit http://security.debian.org stable/updates/main Release
Hit http://security.debian.org stable/updates/contrib Packages
Hit http://security.debian.org stable/updates/contrib Release
30% [1 Packages 0]
----------------------------------------------------------------------
(At this point it indefinitely hangs...)
----------------------------------------------------------------------
tail /var/log/messages
----------------------------------------------------------------------
Dec 23 17:45:18 achilles kernel: conntrack_ftp: partial 227 2850985299+27
Dec 23 17:45:18 achilles kernel: Dropped by default:IN=eth0 OUT=
MAC=fe:fd:50:44:58:07:fe:ff:00:00:00:01:08:00 SRC=212.13.210.26
DST=80.68.88.7 LEN=60 TOS=0x00 PREC=0x00 TTL=62 ID=16672 DF PROTO=TCP
SPT=53792 DPT=1220 WINDOW=5840 RES=0x00 SYN URGP=0
Dec 23 17:45:21 achilles kernel: Dropped by default:IN=eth0 OUT=
MAC=fe:fd:50:44:58:07:fe:ff:00:00:00:01:08:00 SRC=212.13.210.26
DST=80.68.88.7 LEN=60 TOS=0x00 PREC=0x00 TTL=62 ID=16673 DF PROTO=TCP
SPT=53792 DPT=1220 WINDOW=5840 RES=0x00 SYN URGP=0
Dec 23 17:45:23 achilles kernel: Dropped by default:IN=eth0 OUT=
MAC=fe:fd:50:44:58:07:fe:ff:00:00:00:01:08:00 SRC=212.13.210.26
DST=80.68.88.7 LEN=60 TOS=0x00 PREC=0x00 TTL=62 ID=40928 DF PROTO=TCP
SPT=53782 DPT=1217 WINDOW=5840 RES=0x00 SYN URGP=0
Dec 23 17:45:27 achilles kernel: Dropped by default:IN=eth0 OUT=
MAC=fe:fd:50:44:58:07:fe:ff:00:00:00:01:08:00 SRC=212.13.210.26
DST=80.68.88.7 LEN=60 TOS=0x00 PREC=0x00 TTL=62 ID=16674 DF PROTO=TCP
SPT=53792 DPT=1220 WINDOW=5840 RES=0x00 SYN URGP=0
Dec 23 17:45:39 achilles kernel: Dropped by default:IN=eth0 OUT=
MAC=fe:fd:50:44:58:07:fe:ff:00:00:00:01:08:00 SRC=212.13.210.26
DST=80.68.88.7 LEN=60 TOS=0x00 PREC=0x00 TTL=62 ID=16675 DF PROTO=TCP
SPT=53792 DPT=1220 WINDOW=5840 RES=0x00 SYN URGP=0
Dec 23 17:45:47 achilles kernel: Dropped by default:IN=eth0 OUT=
MAC=fe:fd:50:44:58:07:fe:ff:00:00:00:01:08:00 SRC=212.13.210.26
DST=80.68.88.7 LEN=60 TOS=0x00 PREC=0x00 TTL=62 ID=40929 DF PROTO=TCP
SPT=53782 DPT=1217 WINDOW=5840 RES=0x00 SYN URGP=0
----------------------------------------------------------------------
----------------------------------------------------------------------
FILE: iptables-setup
----------------------------------------------------------------------
#! /bin/sh
IPTABLES=/sbin/iptables
test -x $IPTABLES || exit 5
echo -n "Loading packet filters... "
# Flush old rules and chains
$IPTABLES --flush
$IPTABLES --delete-chain
# Set default deny policies
$IPTABLES -P INPUT DROP
$IPTABLES -P FORWARD DROP
$IPTABLES -P OUTPUT DROP
# Give free reign to loopback interfaces
$IPTABLES -A INPUT -i lo -j ACCEPT
$IPTABLES -A OUTPUT -o lo -j ACCEPT
# Rudimentary anti-IP-spoofing drops
$IPTABLES -A INPUT -s 255.0.0.0/8 -j LOG --log-prefix "Spoofed
source IP!"
$IPTABLES -A INPUT -s 255.0.0.0/8 -j DROP
$IPTABLES -A INPUT -s 0.0.0.0/8 -j LOG --log-prefix "Spoofed
source IP!"
$IPTABLES -A INPUT -s 0.0.0.0/8 -j DROP
$IPTABLES -A INPUT -s 127.0.0.0/8 -j LOG --log-prefix "Spoofed
source IP!"
$IPTABLES -A INPUT -s 127.0.0.0/8 -j DROP
$IPTABLES -A INPUT -s 192.168.0.0/16 -j LOG --log-prefix "Spoofed
source IP!"
$IPTABLES -A INPUT -s 192.168.0.0/16 -j DROP
$IPTABLES -A INPUT -s 172.16.0.0/12 -j LOG --log-prefix "Spoofed
source IP!"
$IPTABLES -A INPUT -s 172.16.0.0/12 -j DROP
$IPTABLES -A INPUT -s 10.0.0.0/8 -j LOG --log-prefix "Spoofed
source IP!"
$IPTABLES -A INPUT -s 10.0.0.0/8 -j DROP
$IPTABLES -A INPUT -s 80.68.88.7 -j LOG --log-prefix "Spoofed our IP!"
$IPTABLES -A INPUT -s 80.68.88.7 -j DROP
# Tell netfilter all TCP sessions begin with SYN
$IPTABLES -A INPUT -p tcp ! --syn -m state --state NEW -j LOG
--log-prefix "Stealth scan attempt?"
$IPTABLES -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
# INBOUND Policy
# Accept inbound packets that are part of previously accepted
sessions
$IPTABLES -A INPUT -j ACCEPT -m state --state ESTABLISHED,RELATED
# Accept inbound packets which initiate SSH sessions
$IPTABLES -A INPUT -p tcp -j ACCEPT --dport 22 -m state --state NEW
# Log anything not accepted above
$IPTABLES -A INPUT -j LOG --log-prefix "Dropped by default:"
# OUTBOUND Policy
# If it's part of an aproved connection, let it out
$IPTABLES -I OUTPUT 1 -m state --state RELATED,ESTABLISHED -j ACCEPT
# Allow outbound packets which initiate HTTP sessions
$IPTABLES -A OUTPUT -p tcp -j ACCEPT --dport 80 -m state --state NEW
# Allow outbound packets which initiate FTP sessions
$IPTABLES -A OUTPUT -p tcp -j ACCEPT --dport 21 -m state --state NEW
# Allow outbound DNS queries to resolve IPs
$IPTABLES -A OUTPUT -p udp --dport 53 -m state --state NEW -j ACCEPT
# Log anything not accepted above
$IPTABLES -A OUTPUT -j LOG --log-prefix "Dropped by default:"
echo "Done!"
----------------------------------------------------------------------
next reply other threads:[~2004-12-23 17:59 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2004-12-23 17:59 Noah Slater [this message]
2004-12-23 18:33 ` Problem with APT-GET (ftp) and iptables Jason Opperisano
2004-12-23 19:25 ` Noah Slater
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=9ea1c1180412230959363e647c@mail.gmail.com \
--to=nslater@gmail.com \
--cc=netfilter@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.