-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 A long time ago, in a galaxy far, far way, someone said...
> My iptable rule: > > $IPT -A INPUT -p tcp ! --syn --source-port 20 --destination-port 1024:65535 > -j ACCEPT > > I read this as any packed that is not a --syn type from source 20 on the ftp > server i'm hooking up to, destined to my pc port 1024:65535 jumps to ACCEPT Try taking out the "! --syn" and see what you get. > here's a snip of my log files: > > Oct 3 14:32:44 stimpy kernel: Firewall:IN=eth0 OUT= > MAC=00:10:5a:15:35:f1:00:30 > :71:78:24:00:08:00 SRC=209.10.41.242 DST=24.216.244.106 LEN=60 TOS=0x00 > PREC=0x0 > 0 TTL=54 ID=29441 DF PROTO=TCP SPT=20 DPT=32778 WINDOW=32120 RES=0x00 SYN > URGP=0 > > And that's telling me that it's coming from port 20, it's tcp, and it's headed > to my port 32778, which should jump to ACCEPT! I simply cannot understand why > the firewall is dropping those packets. Allan was nice enough to point me to > a web site talking about firewalls and ftp and I 'thought' I had the right > stuff being let thru. > > Here's a twist...the exact same firewall rules were successfull when I was > runnin woody, but now that I'm on a standard potato with 'iptables' added > separately it's not working. Part of the problem is that you're treating iptables like ipchains as if they are the same; they are totally different packet filtering/mangling mechanisms. I see you're not using the super nifty connection tracking capabilities of iptables. Perhaps it'll help to see a working configuration: $IPT -t nat -A POSTROUTING -o $OUTSIDE_IFACE -j MASQUERADE $IPT -P FORWARD ACCEPT $IPT -A INPUT -s localnet/24 -j ACCEPT $IPT -A INPUT -s localhost -j ACCEPT $IPT -P INPUT DROP $IPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT echo 1 > /proc/sys/net/ipv4/ip_forward This is all you effectively need for a firewall that does internet connection sharing. These lines will block all new and invalid incoming connections, but allow through services that need to connect to a port on your computer, like IRC, web and FTP. - -- - ---------------------------------------------------------------------- Phil Brutsche [EMAIL PROTECTED] GPG fingerprint: 9BF9 D84C 37D0 4FA7 1F2D 7E5E FD94 D264 50DE 1CFC GPG key id: 50DE1CFC GPG public key: http://tux.creighton.edu/~pbrutsch/gpg-public-key.asc -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.1 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE52j1T/ZTSZFDeHPwRAtdKAJ9mpHkGjxUBoUz27HQMZTbp9frD9QCeN+Kp 9oksHocHIWODtbbDey5ld6Q= =7UVf -----END PGP SIGNATURE-----