With this ruleset (see original message below), you only allow incoming HTTP requests. Let me see if i got this correct (reduced to a minimum for readability): *** BEGIN *** # eth0 internal interface # eth1 external interface iptables -N allowed_out iptables -A allowed_out -i eth0 -p tcp --dport 80 -m state ! --state INVALID -j ACCEPT # Active FTP Rules following iptables -A allowed_out -i eth0 -p tcp --dport 21 -m state ! --state INVALID -j ACCEPT iptables -A allowed_out -i eth0 -p tcp --dport 20 -m state ! --state INVALID -j ACCEPT iptables -N allowed_in # Allow incoming Highports FTP - only when active FTP is being used iptables -A allowed_in -i eth1 -p tcp --sport 20 --dport 1024: -j ACCEPT iptables -N block # Block all other iptables -A block -i eth1 -m state --state NEW,INVALID -j drop *** END *** This sample above, would allow HTTP in both directions, and FTP outbound (from Eth0)? Cheers Knut Erik -----Original Message----- From: keith@topaz5.worldonline.co.uk [mailto:keith@topaz5.worldonline.co.uk] Sent: Tuesday, July 22, 2003 6:33 PM To: Knut Erik Hauslo; suse-security@suse.com Subject: RE: [suse-security] Newbie Question re. Firewall2 vs. IPTABLES <SNIP> #------------------------------------------------------# # create a new chain for apache connections #------------------------------------------------------# iptables -N open_port_80 # LOG all NEW, ESTABLISHED, RELATED # remote connections coming in on ppp0 to apache port 80 iptables -A open_port_80 -i ppp0 -p tcp --dport 80 \ -m state ! --state INVALID \ -j LOG --log-prefix 'Remote Port 80 connects ' # ACCEPT all NEW, ESTABLISHED, RELATED # remote connections coming in on ppp0 to apache port 80 iptables -A open_port_80 -i ppp0 -p tcp --dport 80 \ -m state ! --state INVALID \ -j ACCEPT # LOG all local connections to apache port 80 iptables -A open_port_80 -i ! ppp0 -p tcp --dport 80 \ -j LOG --log-prefix 'Local Port 80 connects ' # ACCEPT all local connections to apache port 80 iptables -A open_port_80 -i ! ppp0 -p tcp --dport 80 -j ACCEPT #------------------------------------------------------# # create new chain that blocks all other # new connection attempts coming in from ppp0 #------------------------------------------------------# iptables -N block # LOG all other new connection attempts (& invalid packets) coming from ppp0 iptables -A block -i ppp0 -m state --state NEW,INVALID \ -j LOG --log-prefix 'DROPPED NEW CONNS ON PPP0 ' # DROP all new connection attempts (& invalid packets) coming from ppp0 # and not for apache web server iptables -A block -i ppp0 -m state --state NEW,INVALID -j DROP <SNIP>