Hello Roland, * Roland Türk wrote on 25 Jan 2003:
Hello,
Sorry, my English is not so good! I have write my Firewall with Iptables.I can connect an FTP Server but not make a ls or dir.
Have a look at http://www.sns.ias.edu/~jns/security/iptables/iptables_conntrack.html Short digest: Filtering FTP with IPTABLEs is quite simple. You just must load the module "ip_conntrack_ftp". To allow generel access, do this: iptables -A INPUT -p tcp --sport 21 -m state --state ESTABLISHED -j ACCEPT iptables -A OUTPUT -p tcp --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT Have a look at --state, that's important. Active FTP: iptables -A INPUT -p tcp --sport 20 -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A OUTPUT -p tcp --dport 20 -m state --state ESTABLISHED -j ACCEPT Passive FTP: iptables -A INPUT -p tcp --sport 1024: --dport 1024: -m state --state ESTABLISHED -j ACCEPT iptables -A OUTPUT -p tcp --sport 1024: --dport 1024: -m state --state ESTABLISHED,RELATED -j ACCEPT Filtering FTP without stateful packet filtering, is really bad. (I think, if you do generally a iptables -A OUTPUT --state ESTABLISHED, RELATED -j ACCEPT FTP-filtering would be just a few rules :-) ) Greetz, Tom -- Preissler Thomas Registered Linux User #265745 GPG-Key: 1024D/C21DAB7F http://counter.li.org/ Some people, when confronted with a problem, think 'I know, I'll use regular expressions.' Now they have two problems. -- Jamie Zawinski, alt.religion.emacs (08/12/1997)