Firewall with Iptables

Hello, Sorry, my English is not so good! I have write my Firewall with Iptables.I can connect an FTP Server but not make a ls or dir. linux:~ # ftp ftp.suse.com Connected to ftp.suse.com (217.9.113.66). 220 "Welcome to the SuSE ftp server: Please login as user 'ftp'" Name (ftp.suse.com:root): ftp 331 Please send your email address as a password. Password: 230-+----------------------------------------------------------------+ 230-| Welcome to the SuSE Linux FTP archives in Nürnberg Germany | 230-+----------------------------------------------------------------+ 230-+------------------------------+ +------------------------------+ 230-| SuSE Inc. | | SuSE GmbH | 230-| 318 Harrison St. | | Deutschherrnstr. 15-19 | 230-| Oakland, CA 94607 | | 90429 Nuernberg | 230-| USA | | Germany | 230-+------------------------------+ +------------------------------+ 230-| Tel: +1-510-628-3380 | | Tel: +49-911-740530 | 230-| FAX: +1-510-628-3381 | | FAX: +49-911-7417755 | 230-+------------------------------+ +------------------------------+ 230-| http://www.suse.com/ | | http://www.suse.de/ | 230-+------------------------------+ +------------------------------+ 230-Please make sure to read pub/INDEX before sending mail to 230-ftpadmin@suse.com 230- 230-User limit: 600 - consider using a mirror-site: 230-http://www.suse.de/en/support/download/ftp/int_mirrors.html (Int.) 230-http://www.suse.de/en/support/download/ftp/germ_mirrors.html (DE) 230- 230-Users from Europe (in particular German universities): 230-ftp://ftp.gwdg.de/pub/linux/suse/ 230-ftp://ftp.leo.org/pub/comp/os/unix/linux/suse/suse/ 230-ftp://ftp.uni-kl.de/pub/linux/suse/ 230- 230-If you are experiencing any problems with this server, please email 230-ftpadmin@suse.com. 230- 230 Login successful. Have a lot of fun. Remote system type is UNIX. Using binary mode to transfer files. ftp> dir 200 PORT command successful. Consider using PASV. -------------------------------------------------- -------------------------------------------------- -----snip------ #My Firewall config for FTP # FTP OUT Control-Connection iptables -A OUTPUT -p TCP --sport $p_high --dport ftp -j ACCEPT iptables -A INPUT -p TCP --dport $p_high --sport ftp ! --syn -j ACCEPT # FTP OUT Passive Data-Connection iptables -A OUTPUT -p TCP --sport $p_high --dport $p_high -j ACCEPT iptables -A INPUT -p TCP --dport $p_high --sport $p_high ! --syn -j ACCEPT # MASQUERADING iptables -t nat -A POSTROUTING -o $EXT -j MASQUERADE echo "1" > /proc/sys/net/ipv4/ip_forward echo "1" > /proc/sys/net/ipv4/ip_dynaddr iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A FORWARD -i $INT -o $EXT -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A FORWARD -i $EXT -o $INT -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A OUTPUT -p ICMP --icmp-type echo-request -j ACCEPT iptables -A FORWARD -o $EXT -p ICMP --icmp-type echo-request -j ACCEPT iptables -A FORWARD -o $EXT -m state --state NEW -p TCP --sport $p_high --dport ftp -j ACCEPT iptables -A FORWARD -o $EXT -m state --state NEW -p TCP --sport $p_high --dport $p_high -j ACCEPT -----snap----- ---------------------------------------------------------------------- ---------------------------------------------------------------------- tcpdump -i ippp0 19:59:13.290242 217.4.250.8.filenet-tms > 213.95.15.193.domain: 2909 A? ftp.suse.com. (30) (DF) 19:59:13.345807 213.95.15.193.domain > 217.4.250.8.filenet-tms: 2909* 1/2/2 A 217.9.113.66 (132) [tos 0x10] 19:59:13.347190 217.4.250.8.35608 > 217.9.113.66.ftp: S 926670463:926670463(0) win 5840 <mss 1460,sackOK,timestamp 52220628 0, 19:59:13.447849 217.9.113.66.ftp > 217.4.250.8.35608: S 840322402:840322402(0) ack 926670464 win 32120 <mss 1460,sackOK,timest 19:59:13.447945 217.4.250.8.35608 > 217.9.113.66.ftp: . ack 1 win 5840 <nop,nop,timestamp 52220638 2286511272> (DF) 19:59:13.518270 217.9.113.66.ftp > 217.4.250.8.35608: P 1:249(248) ack 1 win 32120 <nop,nop,timestamp 2286511282 52220638> (DF 19:59:13.518367 217.4.250.8.35608 > 217.9.113.66.ftp: . ack 249 win 6432 <nop,nop,timestamp 52220645 2286511282> (DF) [tos 0x1 19:59:13.518817 217.4.250.8.35608 > 217.9.113.66.ftp: F 1:1(0) ack 249 win 6432 <nop,nop,timestamp 52220645 2286511282> (DF) [ 19:59:13.525785 217.9.113.66.ftp > 217.4.250.8.35608: F 249:249(0) ack 1 win 32120 <nop,nop,timestamp 2286511282 52220638> (DF 19:59:13.526164 217.4.250.8.35608 > 217.9.113.66.ftp: . ack 250 win 6432 <nop,nop,timestamp 52220646 2286511282> (DF) [tos 0x1 19:59:13.572175 217.9.113.66.ftp > 217.4.250.8.35608: . ack 2 win 32120 <nop,nop,timestamp 2286511290 52220645> (DF) 19:59:20.501533 217.4.250.8.35609 > 217.9.113.66.ftp: S 933158888:933158888(0) win 5840 <mss 1460,sackOK,timestamp 52221343 0, 19:59:20.551516 217.9.113.66.ftp > 217.4.250.8.35609: S 856735184:856735184(0) ack 933158889 win 32120 <mss 1460,sackOK,timest 19:59:20.551613 217.4.250.8.35609 > 217.9.113.66.ftp: . ack 1 win 5840 <nop,nop,timestamp 52221348 2286511987> (DF) 19:59:20.650476 217.9.113.66.ftp > 217.4.250.8.35609: P 1:67(66) ack 1 win 32120 <nop,nop,timestamp 2286511993 52221348> (DF) 19:59:20.650579 217.4.250.8.35609 > 217.9.113.66.ftp: . ack 67 win 5840 <nop,nop,timestamp 52221358 2286511993> (DF) [tos 0x10 19:59:24.856106 217.4.250.8.35609 > 217.9.113.66.ftp: P 1:11(10) ack 67 win 5840 <nop,nop,timestamp 52221778 2286511993> (DF) 19:59:24.896293 217.9.113.66.ftp > 217.4.250.8.35609: . ack 11 win 32120 <nop,nop,timestamp 2286512422 52221778> (DF) 19:59:24.910156 217.9.113.66.ftp > 217.4.250.8.35609: P 67:118(51) ack 11 win 32120 <nop,nop,timestamp 2286512422 52221778> (D 19:59:24.910224 217.4.250.8.35609 > 217.9.113.66.ftp: . ack 118 win 5840 <nop,nop,timestamp 52221784 2286512422> (DF) [tos 0x1 19:59:26.198941 217.4.250.8.35609 > 217.9.113.66.ftp: P 11:25(14) ack 118 win 5840 <nop,nop,timestamp 52221913 2286512422> (DF 19:59:26.261343 217.9.113.66.ftp > 217.4.250.8.35609: P 118:190(72) ack 25 win 32120 <nop,nop,timestamp 2286512557 52221913> ( 19:59:26.261425 217.4.250.8.35609 > 217.9.113.66.ftp: . ack 190 win 5840 <nop,nop,timestamp 52221919 2286512557> (DF) [tos 0x1 19:59:26.277847 217.9.113.66.ftp > 217.4.250.8.35609: P 190:262(72) ack 25 win 32120 <nop,nop,timestamp 2286512557 52221913> ( 19:59:26.277920 217.4.250.8.35609 > 217.9.113.66.ftp: . ack 262 win 5840 <nop,nop,timestamp 52221920 2286512557> (DF) [tos 0x1 19:59:26.294356 217.9.113.66.ftp > 217.4.250.8.35609: P 262:334(72) ack 25 win 32120 <nop,nop,timestamp 2286512557 52221913> ( 19:59:26.294424 217.4.250.8.35609 > 217.9.113.66.ftp: . ack 334 win 5840 <nop,nop,timestamp 52221922 2286512557> (DF) [tos 0x1 19:59:26.310864 217.9.113.66.ftp > 217.4.250.8.35609: P 334:406(72) ack 25 win 32120 <nop,nop,timestamp 2286512557 52221913> ( 19:59:26.310932 217.4.250.8.35609 > 217.9.113.66.ftp: . ack 406 win 5840 <nop,nop,timestamp 52221924 2286512557> (DF) [tos 0x1 19:59:26.521730 217.9.113.66.ftp > 217.4.250.8.35609: P 406:1771(1365) ack 25 win 32120 <nop,nop,timestamp 2286512563 52221919 19:59:26.521806 217.4.250.8.35609 > 217.9.113.66.ftp: . ack 1771 win 8190 <nop,nop,timestamp 52221945 2286512563> (DF) [tos 0x 19:59:26.523495 217.4.250.8.35609 > 217.9.113.66.ftp: P 25:31(6) ack 1771 win 8190 <nop,nop,timestamp 52221945 2286512563> (DF 19:59:26.599132 217.9.113.66.ftp > 217.4.250.8.35609: P 1771:1790(19) ack 31 win 32120 <nop,nop,timestamp 2286512590 52221945> 19:59:26.638231 217.4.250.8.35609 > 217.9.113.66.ftp: . ack 1790 win 8190 <nop,nop,timestamp 52221957 2286512590> (DF) [tos 0x 19:59:29.151684 217.4.250.8.35609 > 217.9.113.66.ftp: P 31:56(25) ack 1790 win 8190 <nop,nop,timestamp 52222208 2286512590> (D 19:59:29.208498 217.9.113.66.ftp > 217.4.250.8.35609: P 1790:1841(51) ack 56 win 32120 <nop,nop,timestamp 2286512852 52222208> 19:59:29.208584 217.4.250.8.35609 > 217.9.113.66.ftp: . ack 1841 win 8190 <nop,nop,timestamp 52222213 2286512852> (DF) [tos 0x 19:59:29.208840 217.4.250.8.35609 > 217.9.113.66.ftp: P 56:62(6) ack 1841 win 8190 <nop,nop,timestamp 52222213 2286512852> (DF 19:59:29.257378 217.9.113.66.ftp-data > 217.4.250.8.35610: S 870057160:870057160(0) win 32120 <mss 1460,sackOK,timestamp 22865 19:59:29.325064 217.9.113.66.ftp > 217.4.250.8.35609: . ack 62 win 32120 <nop,nop,timestamp 2286512860 52222213> (DF) 19:59:32.304569 217.9.113.66.ftp-data > 217.4.250.8.35610: S 870057160:870057160(0) win 32120 <mss 1460,sackOK,timestamp 22865 Which Ports must I open? Thanks for Your config or Help Roland