Yes, you do. Port 20 (and/or any other) connections after the control connection are not 'RELATED, ESTABLISHED' to the control connection. They are new connections either from the client to the server or vice versa. You therefore need seperate rules for them. Remember connection tracking happens at a pakcet level, i.e all states relate to packets of a connection, not per protocol. Ray On Tue, 2002-12-10 at 11:43, Rob Sterenborg wrote: > > You will have to allow port 20 aswell...FTP uses both port 20 and 21 > > Do you ? > I was under the impression that this line would take care of that (which > is already in the iptables config) : > > > iptables -A FORWARD -i eth0 -o eth1 -p tcp --dport 21 -m state --state > NEW,ESTABLISHED,RELATED -j ACCEPT > > However, I'm not sure if it's better to split them up into 2 rules : > iptables -A FORWARD -i eth0 -o eth1 -p tcp --dport 21 -m state --state > NEW -j ACCEPT > iptables -A FORWARD -i eth0 -o eth1 -m state --state ESTABLISHED,RELATED > -j ACCEPT > > > Rob
Attachment:
signature.asc
Description: This is a digitally signed message part
