Hi there
On Tuesday 11 March 2003 15:48, Ian Goodall wrote:
> All is fine now. Adding the line:
> iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
> fixes the problem. Does anyone know what this line does? I found this using
> an online script generator at http://www.iptables.1go.dk/index1.php.

You are probably using some ftp server in your sources.list, ftp and probably 
you are using the so called active ftp, in this kind of connections server 
itselft initiate data transfers conection with the client host ( so , SYNs 
are sended directly from server to client, and in a fiweralled enviroment 
they are dropped.

The added rule takes care of this kind of conections telling iptables that 
SYNs sended from the ftp server to the client host are related to a 
established ftp conection opened from the client host to the server and 
should be permited ( even when they come with a SYN request from the server) 
( it acts like a state module ( somehow related to ip_masq modules tu ftp, 
quake o irc ) that ensure that this kind or conections ( that used a range of 
ports higher than 1023 , but not asigned until the conection is established ) 

I' ll hope it helps, excuse my english and have a look to Netfilter Howto, any 
good page about ftp server in firewalled enviroments will help to. Have a 
look at:

And if you are very very interesting you can allways look for the ftp rfc.

> Thanks for all your help. This is the sort of thing that this list should
> be used for instead of debating what should be on it / other spam :)
Kind Regards

