From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on sa.int.altlinux.org X-Spam-Level: X-Spam-Status: No, score=-2.6 required=5.0 tests=BAYES_00,SPF_PASS autolearn=ham version=3.2.5 Message-ID: <4924F8AE.4060500@rambler.ru> Date: Thu, 20 Nov 2008 08:42:06 +0300 From: "Kharitonov A. Dmitry" User-Agent: Thunderbird 2.0.0.17 (X11/20080929) MIME-Version: 1.0 To: shaba@altlinux.ru, ALT Linux sysadmin discuss References: <49246D59.9070802@rambler.ru> In-Reply-To: Content-Type: text/plain; charset=KOI8-R; format=flowed Content-Transfer-Encoding: 8bit Subject: Re: [Sysadmins] =?koi8-r?b?aXB0YWJsZXMgySBmdHAgLS0tIMbJ3sEgyczJIMLB?= =?koi8-r?b?xz8=?= X-BeenThere: sysadmins@lists.altlinux.org X-Mailman-Version: 2.1.10b3 Precedence: list Reply-To: ALT Linux sysadmin discuss List-Id: ALT Linux sysadmin discuss List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 20 Nov 2008 05:41:20 -0000 Archived-At: List-Archive: Alexey Shabalin пишет: > 2008/11/19 Kharitonov A. Dmitry : > >> [user@SERVER ~]$ sudo lsmod | egrep "ftp|ipt" >> ipt_MASQUERADE 7808 1 >> ipt_REJECT 9472 705 >> iptable_mangle 7040 0 >> iptable_nat 11652 1 >> iptable_filter 7168 1 >> ip_tables 17604 3 iptable_mangle,iptable_nat,iptable_filter >> ipt_REDIRECT 6272 0 >> ipt_LOG 10496 0 >> x_tables 18180 8 >> xt_state,xt_tcpudp,ipt_MASQUERADE,ipt_REJECT,iptable_nat,ip_tables,ipt_REDIRECT,ipt_LOG >> ip_nat_ftp 7680 0 >> ip_nat 22060 4 >> ipt_MASQUERADE,iptable_nat,ipt_REDIRECT,ip_nat_ftp >> ip_conntrack_ftp 12016 1 ip_nat_ftp >> ip_conntrack 56800 6 >> xt_state,ipt_MASQUERADE,iptable_nat,ip_nat_ftp,ip_nat,ip_conntrack_ftp >> >> делаю >> -A INPUT -i wan -p tcp -m tcp --sport 20 ! --tcp-flags FIN,SYN,RST,ACK SYN >> -m state --state RELATED,ESTABLISHED -j ACCEPT >> -A INPUT -i wan -p tcp -m tcp --sport 21 ! --tcp-flags FIN,SYN,RST,ACK SYN >> -m state --state RELATED,ESTABLISHED -j ACCEPT >> -A OUTPUT -o wan -p tcp -m tcp --dport 20 -m state --state >> NEW,RELATED,ESTABLISHED -j ACCEPT >> -A OUTPUT -o wan -p tcp -m tcp --dport 21 -m state --state >> NEW,RELATED,ESTABLISHED -j ACCEPT >> >> запускаю firefox >> ERROR >> The requested URL could not be retrieved >> >> An FTP protocol error occurred while trying to retrieve the URL: >> ftp://ftp.altlinux.org/pub/distributions/ >> >> >> Squid sent the following FTP command:* >> *NLST >> **and then received this reply* >> *Use PORT or PASV first. >> Your cache administrator is webmaster . >> Generated Wed, 19 Nov 2008 23:35:09 GMT by server.dimahost >> (squid/2.6.STABLE13) >> >> делаю >> -A INPUT -i wan -p tcp -m tcp --sport 20 ! --tcp-flags FIN,SYN,RST,ACK SYN >> -m state --state RELATED,ESTABLISHED -j ACCEPT >> -A INPUT -i wan -p tcp -m tcp --sport 21 ! --tcp-flags FIN,SYN,RST,ACK SYN >> -m state --state RELATED,ESTABLISHED -j ACCEPT >> -A INPUT -i wan -p tcp -m tcp --sport 1024:65535 ! --tcp-flags >> FIN,SYN,RST,ACK SYN -m state --state RELATED,ESTABLISHED -j ACCEPT >> -A OUTPUT -o wan -p tcp -m tcp --dport 20 -m state --state >> NEW,RELATED,ESTABLISHED -j ACCEPT >> -A OUTPUT -o wan -p tcp -m tcp --dport 21 -m state --state >> NEW,RELATED,ESTABLISHED -j ACCEPT >> -A OUTPUT -o wan -p tcp -m tcp --dport 1024:65535 -m state --state >> NEW,RELATED,ESTABLISHED -j ACCEPT >> >> запускаю firefox >> Всё нормально. >> >> Я, так понимаю, не работают >> ip_nat_ftp 7680 0 >> ip_conntrack_ftp 12016 1 ip_nat_ftp >> >> >> Кто мне разъеснит: это фича или баг? >> > это пасивный режим работы ftp. > Это я знаю. Я пока вижу, что не работает модуль ip_conntrack_ftp