On Mon, 2011-03-07 at 18:17 -0500, robert mckennon wrote: > On Mon, Mar 7, 2011 at 5:35 PM, William L. Thomson Jr. > <[email protected]> wrote:
> >> # Allow unlimited traffic on loopback > >> iptables -A INPUT -i lo -j ACCEPT > >> iptables -A OUTPUT -o lo -j ACCEPT > > > > Where did you get the loopback stuff? I can't recall ever seeing > > loopback stuff in iptables before, which is why I ask :) > > > > Not sure where it came from, I'd have go google it again. I could be wrong, but pretty sure you don't need to do anything with lo. Not sure anyone has created a firewall on a loopback interface. Usually if you need such functionality will use a bridge and doing firewalling, packet inspection, etc on the bridge. > >> iptables -A INPUT -p tcp -s 0/0 --sport 1024:65535 -d 10.11.248.119 > >> --dport 1024:65535 -m state --state ESTABLISHED,RELATED -j ACCEPT > >> iptables -A OUTPUT -p tcp -s 10.11.248.119 --sport 1024:65535 -d 0/0 > >> --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT > > > > This should fail since your missing -m multiport, unless that is no > > longer necessary to specify. > > So could this be why it's not working? What is not working, everything, or just the FTP your trying to get to work? Looks like its a matter of syntax and what you have is correct. Testing has show you need multiport only when using commas in the port. First one works, second fails with output following wlt Desktop # iptables -A INPUT -p TCP -i eth0 --sport 1024:65535 -j ACCEPT wlt Desktop # iptables -A INPUT -p TCP -i eth0 --sport 1024,65535 -j ACCEPT iptables v1.4.10: invalid port/service `1024,65535' specified Try `iptables -h' or 'iptables --help' for more information. Change the last one to the following and it works :) iptables -A INPUT -p TCP -i eth0 -m multiport --sport 1024,65535 -j ACCEPT I think you still have to have multiport support in the kernel, with either syntax. > I have to head home to do some more testing from the external side. > I'll check my mail when I get there. > > Thank you for your reply! No problem, but if you are having problems. Might want to take it one step at a time. Do input rules before output. Drop the stateful stuff, and then add that back in once you know things are working. Also make sure to log anything dropped either way and look at that stuff. It will usually help you find out what you did wrong/right, etc. -- William L. Thomson Jr. Obsidian-Studios, Inc. http://www.obsidian-studios.com --------------------------------------------------------------------- Archive http://marc.info/?l=jaxlug-list&r=1&w=2 RSS Feed http://www.mail-archive.com/[email protected]/maillist.xml Unsubscribe [email protected]
