Hi Stephan, try something like this (adapt $p_high, $EXT and $IPTABLES to your needs!): <SNIP> set $p_high = 1024:65535 set $EXT = ippp0 set $IPTABLES = /usr/sbin/iptables <SNIP> #------------------------------------------------------------------------------ # ftp # # control connection # $IPTABLES -A OUTPUT -o $EXT -m state --state NEW -p TCP --sport $p_high --dport ftp -j ACCEPT # # passive data connection # $IPTABLES -A OUTPUT -o $EXT -m state --state NEW -p TCP --sport $p_high --dport $p_high -j ACCEPT <SNIP> Works fine for me! Best regards, Ralf OKDesign oHG Security Administrator wrote:
Hi folks,
this question is not really directly security-related, but I'm gonna post it here, because I got the problem due to my intention to be as secure as possible :)
As I read that the "older" kernel 2.2 is not as secure as the newer one 2.4 is, I installed my linux-machine complete from the crab with SuSE 7.3. This box acts as a Router/Gateway for the LAN. On the first sight everything works fine, but I found that its not possible to connect to ftp-servers from the clients. Well, the connection itself works, but I can't get the dirlist. I tried out several servers, all with the same effort: Connection works, but when the client wants to get the dir, connection hangs. I know I had the same problem with 2.2 and could solve it with "insmod ftp_masq" (or similar) but now this module can't be found on the whole HDD. Maybe there is a special iptables-command necessary ? Can someone please point me to the right direction and/or tell me how to get this to work ?
Routing/MAsquerading is actually done with: iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE echo 1 > /proc/sys/net/ipv4/ip_forward
Is something missing ?
Thanks in advance for your help.
Stephan
-- ------------------------------------------------------------ Ralf Ronneburger ralf@ronneburger.de Prefers to receive encrypted Mail, download public-key from http://www.ronneburger.net/gpg/ralf_ronneburger.asc ------------------------------------------------------------