-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Alex Samad wrote: > Hi > > You should try and keep this on list Sorry, hit reply instead of reply all. > > > Alex > > > On Fri, Dec 05, 2008 at 02:17:42PM -0700, Robert L. Harris wrote: > > > >> [snip] > > I've updated my rules to this: # # allow ftpd HARVARD="10.1.1.32" > /sbin/modprobe nf_conntrack_ftp # General iptables -I INPUT -m > state --state RELATED,ESTABLISHED -j ACCEPT iptables -A INPUT -p > tcp --dport 21 -m state --state NEW -j ACCEPT iptables -A FORWARD > -p tcp --dport 21 -m state --state NEW -j ACCEPT iptables -t nat -A > PREROUTING -p tcp --dport 21 -j DNAT --to 10.1.1.32:21 > > I think I confused myself though, do I need the other rules I had > for port 20 or will the first INPUT rule above cover that? > >> have a look here http://slacksite.com/other/ftp.html (quick >> google on ftp & ports). > >> It shows you how the ports are used for ftp. > >> The ftp contrack module that you where loading previous should >> handle the "related" ports and allow them through, what I am not >> sure > about is >> weather it will handle the dnat'ing of those port. But then >> again you could specify passive ftp only > >> here is another link >> http://www.cyberciti.biz/faq/iptables-open-ftp-port-21/ (again > google). > > >> My strength is in itables not ftp (which is the reason for > googling :) ) > >> Also anything to do with iptables and firewalls you should > probably read >> a tutorial on iptables > I've read both of those and understand how the ftp works. I've spent the last 2 days googling. Unfortunately it's all working now except how to get the iptables data connection in passive mode working. I can log in, etc just fine but when I do a "ls" after issuing the "passive" command it times out. The second example looks good but doesn't handle the DNAT (the ftp server is running on another machine behind my firewall. Robert - -- :wq! ==================================================================== Robert L. Harris | GPG Key ID: E344DA3B @ x-hkp://pgp.mit.edu DISCLAIMER: These are MY OPINIONS With Dreams To Be A King, ALONE. I speak for First One Should Be A Man no-one else. - Manowar -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.8 (Darwin) iD8DBQFJOat68+1vMONE2jsRAuFiAJ4tZUiKdn1pVMTVJooRjcpMWsHUgQCfTggd c08luNBZJjlIvtBgRnoR5+I= =ZWjq -----END PGP SIGNATURE----- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]