-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Tuesday 10 December 2002 02:52, Jozsef Kadlecsik wrote: > On Mon, 9 Dec 2002, Alexandros Papadopoulos wrote: > > /sbin/iptables -P OUTPUT DROP > > > > ##################### > > #### CHAIN INPUT #### > > ##################### > > > > ## Accept everything incoming on loopback interface > > /sbin/iptables -A INPUT -s 127.0.0.1 -d 127.0.0.1 -i lo -j ACCEPT > > > > ## Accept all incoming traffic from related or established > > connections /sbin/iptables -A INPUT -m state --state > > ESTABLISHED,RELATED -j ACCEPT > > > > ## Allow connections to our ftp server > > /sbin/iptables -A INPUT -p tcp --dport 2121 -j ACCEPT > > > > ..but still, the packets with the SYN flag set when the client > > tries to establish the new data connection are dropped. Someone > > please tell me what am I missing? I'm sure it's something obvious > > but I can't seem to find it! > > What about the rules in the OUTPUT chain? Oops, I'm sorry. I actually tested with a default ACCEPT policy in the output chain to rule problems from there out, but forgot to mention it. In any case, the relevant rules from the output chain are: ## Allow outgoing FTP (data) + HTTP replies /sbin/iptables -A OUTPUT -p tcp --sport 1024: --dport 1024: -m state - --state ESTABLISHED,RELATED -j ACCEPT ## Allow data for incoming FTP to return back to sender /sbin/iptables -A OUTPUT -p tcp --sport 2121 --dport 1024: -m state - --state ESTABLISHED,RELATED -j ACCEPT I'd bet that the problem is that the SYN request sent from the client to my server gets dropped, though. Seems like a conntrack/INPUT thing. Thanks - -A - -- http://andrew.cmu.edu/~apapadop/pub_key.asc 3DAD 8435 DB52 F17B 640F D78C 8260 0CC1 0B75 8265 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iD8DBQE99aHdgmAMwQt1gmURApc8AJ4rhcf4LzELDQ399VEuunF8VBnWYwCcDNlN oY6E1VBYAM/mHufJen5YrDk= =xJ8w -----END PGP SIGNATURE-----
