iptables & CPAN (more)

Ashley M. Kirchner Sat, 12 Oct 2002 07:02:48 -0700


    Okay, on a suggestion from "juaid" <[EMAIL PROTECTED]> I ran tcpdump while
trying to do CPAN updates and this is what I found:


----------
16:52:18.366859 serpico.pcraft.com.35723 > cpan.in-span.net.ftp: S
216188088:216188088(0) win 5840 <mss 1460,sackOK,timestamp 15984811
0,nop,wscale 0> (DF)
16:52:18.438921 cpan.in-span.net.ftp > serpico.pcraft.com.35723: S
1476419810:1476419810(0) ack 216188089 win 24616 <nop,nop,timestamp 36469082
15984811,nop,wscale 0,nop,nop,sackOK,mss 1460> (DF)
16:52:18.439276 serpico.pcraft.com.35723 > cpan.in-span.net.ftp: . ack 1 win
5840 <nop,nop,timestamp 15984818 36469082> (DF)
16:52:18.721430 cpan.in-span.net.ftp > serpico.pcraft.com.35723: P 1:60(59) ack
1 win 24616 <nop,nop,timestamp 36469110 15984818> (DF)
16:52:18.721705 serpico.pcraft.com.35723 > cpan.in-span.net.ftp: . ack 60 win
5840 <nop,nop,timestamp 15984846 36469110> (DF)
16:52:18.797091 cpan.in-span.net.ftp > serpico.pcraft.com.35723: P 60:375(315)
ack 1 win 24616 <nop,nop,timestamp 36469117 15984846> (DF)

16:54:04.988113 serpico.pcraft.com.35725 > cpan.in-span.net.ftp: P 106:128(22)
ack 611 win 6432 <nop,nop,timestamp 15995473 36479736> (DF)
16:54:05.065606 cpan.in-span.net.ftp-data > serpico.pcraft.com.35726: S
2489762397:2489762397(0) win 24820 <nop,nop,sackOK,mss 1460> (DF)
16:54:05.157891 cpan.in-span.net.ftp > serpico.pcraft.com.35725: . ack 128 win
24616 <nop,nop,timestamp 36479754 15995473> (DF)
16:54:08.427859 cpan.in-span.net.ftp-data > serpico.pcraft.com.35726: S
2489762397:2489762397(0) win 24820 <nop,nop,sackOK,mss 1460> (DF)
16:54:15.177633 cpan.in-span.net.ftp-data > serpico.pcraft.com.35726: S
2489762397:2489762397(0) win 24820 <nop,nop,sackOK,mss 1460> (DF)
----------

    It seems none of these are getting through when I have my iptables rules in
place.  Based on my rules below, what do I need to adjust for this to work
properly?

----------
*filter
:INPUT DROP [37:4772]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [6711:302807]
-A INPUT -i lo -j ACCEPT
-A INPUT -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp ! --tcp-option 2 -j REJECT --reject-with tcp-reset
-A INPUT -i eth0 -p tcp -m tcp --dport 21 -j ACCEPT
-A INPUT -i eth0 -p udp -m udp --dport 21 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -i eth0 -p udp -m udp --dport 22 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 25 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -i eth0 -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -i eth0 -p udp -m udp --dport 80 -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
COMMIT
----------

--
W | I haven't lost my mind; it's backed up on tape somewhere.
  +--------------------------------------------------------------------
  Ashley M. Kirchner <mailto:[EMAIL PROTECTED]>   .   303.442.6410 x130
  IT Director / SysAdmin / WebSmith             .     800.441.3873 x130
  Photo Craft Laboratories, Inc.            .     3550 Arapahoe Ave. #6
  http://www.pcraft.com ..... .  .    .       Boulder, CO 80303, U.S.A.





-- 
redhat-list mailing list
unsubscribe mailto:[EMAIL PROTECTED]?subject=unsubscribe
https://listman.redhat.com/mailman/listinfo/redhat-list

iptables & CPAN (more)

Reply via email to