Firewall and FTP

Antony Stone Antony at
Sat Nov 9 10:07:43 PST 2002

On Saturday 09 November 2002 3:50 pm, Oliver Eickenberg wrote:

> Hello,
> With my firewall working for a few weeks now (thanks again for the help
> i received here) i discovered one problem left:
> I tried to grant access to Internet-FTP-sites for my LAN whith enabling
> port 21 exactly as i had enabled port 80 for http. I could connect to
> sites and login successfully but then got timed out every time on any site.
> Is somebody here who knows a solution ?
> Here is my actual "FTP-enabling"
> iptables -A OUTPUT -p tcp -s $myLAN --dport 21 -j ACCEPT
> iptables -A INPUT  -p tcp -s $myLAN --sport 21 -m state --state

Add a line to your INPUT chain to allow RELATED packets, and provided you 
have ftp connection tracking compiled in all should be fine - the ftp data 
packets will be recognised as 'related' to the control packets on port 21, 
and everything will work.

iptables -A INPUT -m state --state RELATED -j ACCEPT

In fact it would probably be a good idea to change the INPUT rule you already 
have above so it will allow reply packets for anything you choose to send out:

iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

Just use this one rule in place of both your and my INPUT rules above.



KDE 3.0.3 contains an important fix for handling SSL certificates.  Users of 
Internet Explorer, which suffers from the same problem but which
does not yet have a fix available, are also encouraged to switch to KDE 3.0.3.
Unsubscribe: send email to listar at
and put 'unsubscribe blfs-support' in the subject header of the message

More information about the blfs-support mailing list