Firewall and FTP

Antony Stone Antony at Soft-Solutions.co.uk
Sat Nov 9 10:07:43 PST 2002


On Saturday 09 November 2002 3:50 pm, Oliver Eickenberg wrote:

> Hello,
>
> With my firewall working for a few weeks now (thanks again for the help
> i received here) i discovered one problem left:
>
> I tried to grant access to Internet-FTP-sites for my LAN whith enabling
> port 21 exactly as i had enabled port 80 for http. I could connect to
> sites and login successfully but then got timed out every time on any site.
>
> Is somebody here who knows a solution ?
>
> Here is my actual "FTP-enabling"
>
> iptables -A OUTPUT -p tcp -s $myLAN --dport 21 -j ACCEPT
> iptables -A INPUT  -p tcp -s $myLAN --sport 21 -m state --state
> -ESTABLISHED -j ACCEPT

Add a line to your INPUT chain to allow RELATED packets, and provided you 
have ftp connection tracking compiled in all should be fine - the ftp data 
packets will be recognised as 'related' to the control packets on port 21, 
and everything will work.

iptables -A INPUT -m state --state RELATED -j ACCEPT

In fact it would probably be a good idea to change the INPUT rule you already 
have above so it will allow reply packets for anything you choose to send out:

iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

Just use this one rule in place of both your and my INPUT rules above.

Antony.

-- 

KDE 3.0.3 contains an important fix for handling SSL certificates.  Users of 
Internet Explorer, which suffers from the same problem but which
does not yet have a fix available, are also encouraged to switch to KDE 3.0.3.

http://www.kde.org/announcements/announce-3.0.3.html
-- 
Unsubscribe: send email to listar at linuxfromscratch.org
and put 'unsubscribe blfs-support' in the subject header of the message



More information about the blfs-support mailing list