Sorry for the slow reply. Yes, ftp is working without the iptables firewall on. So that is no problem.
I don't see why I should use a nat module, since I am not doing NAT. It is a single server, directly connected to the internet. No LAN behind. So no NAT. However, this iptables script is still mysteriously blocking *some* people from reaching my machine, while others can connect without trouble. I still don't understand I am afraid. Anyone? Pim On Thu, 14 Oct 2004 15:07:38 +0200, Riccardo Tortorici <[EMAIL PROTECTED]> wrote: > Did you "modprobed" the nat FTP Module? > modprobe ip_nat_ftp > > Did you allow also the ftp-data port? > From /etc/services: > > ftp-data 20/tcp > ftp 21/tcp > > bye > > Pim Bliek wrote: > > Hi All, > > > > I still have trouble, with FTP. A user is able to login, but cannot > > retrieve any data (also no 'ls' because of that). Here are the lines > > in my fw-script about FTP: > > > > $IPT -t filter -A INPUT -p tcp -s 0/0 -d $NET --destination-port 20 ! > > --syn -j ACCEPT > > $IPT -A INPUT -i $NET -m state --state NEW,ESTABLISHED,RELATED -p tcp > > -s 0/0 -d $NET --dport 20 -j ACCEPT > > > > $IPT -t filter -A INPUT -p tcp -s 0/0 -d $NET --destination-port 21 -j ACCEPT > > $IPT -A INPUT -i $NET -m state --state NEW,ESTABLISHED,RELATED -p tcp > > -s 0/0 -d $NET --dport 21 -j ACCEPT > > > > What is wrong here? > > > > Pim > > > > On Wed, 13 Oct 2004 07:40:09 -0700 (PDT), Sergio Basurto > > <[EMAIL PROTECTED]> wrote: > > > > > > > >> > >>On Wed, 13 Oct 2004 16:35:46 +0200, Pim Bliek wrote: > >> > >> > >>>That worked! Thanx a lot! > >>>I am not sure I understand how it works, but it works > >> > >>:) > >> > >>>Pim > >>> > >>> > >>>On Wed, 13 Oct 2004 07:00:30 -0700 (PDT), Sergio > >> > >>Basurto > >> > >>><[EMAIL PROTECTED]> wrote: > >>> > >>>>On Wed, 13 Oct 2004 15:37:35 +0200, Pim Bliek wrote: > >>>> > >>>> > >>>>>Hi All, > >>>>> > >>>>>I am trying to get a firewall running, but I am no > >>>>>networking expert. > >>>>>I use Debian Sid, and kernel 2.4.25-1-386 (yes I > >>> > >>>need > >>> > >>>>>to upgrade ;)). > >>>> > >>>>(...) > >>>> > >>>>>Regards, > >>>>>Pim Bliek > >>>>> > >>>> > >>>>you must add something like this, addapt to your > >>> > >>>script > >>> > >>>>variables. > >>>>iptables -A INPUT -i $EXTIF -m state --state > >>>>NEW,ESTABLISHED,RELATED -p tcp -s $UNIVERSE -d > >> > >>$EXTIP > >> > >>>>--dport 80 -j ACCEPT > >>>> > >>>>In the line above you specify that allow connections > >>> > >>>to > >>> > >>>>your host in port 80. > >>>> > >>>>Also you can get excellent documentation in the > >>>>following link: > >>>>www.netfilter.org > >>>> > >>>>just addapt this to your script. > >>>> > >>>>I hope this help. > >>>> > >>>>I recommend you that separate your rules in the > >>>>following order in your script > >>>> > >>>>INPUT > >>>>OUTPUT > >>>>FORWARD > >>>>PREROUTING > >>>>POSTROUTING > >>>> > >>>>in order to get it more readable. > >>>> > >>>>Regards. > >>>> > >>>>-- > >>>>Sergio Basurto J. > >>>> > >>>>If I have seen further it is by standing on the > >>>>shoulders of giants. (Isaac Newton) > >>>>-- > >>>>-- > >>>> > >> > >> > >>Ing. Sergio Basurto Juárez > >>Tel: 04455-85322945 > >> > > > > > > > > -- > - Riccardo Tortorici - > Linux Registered User #365170 > Count yourself @ http://counter.li.org/ ! > Proudly Running Debian GNU/Linux "Sid" - Linux Kernel 2.6.8.1 > -- > HTML email can be dangerous, is not always readable, wastes bandwidth > and is simply not necessary please don't send them to me! > If you don't know what I'm talking about please read this: > > http://www.georgedillon.com/web/netiquette.shtml > > -- > Email.it, the professional e-mail, gratis per te: http://www.email.it/f > > Sponsor: > Telefonare all'estero risparmiando fino all'80%? Con Email.it Phone Card puoi, > clicca e scopri tutti i vantaggi > Clicca qui: http://adv.email.it/cgi-bin/foclick.cgi?mid=2683&d=14-10 > > > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] > >
