Hello On Monday 09 June 2003 11:42, Leonardo Lombardo wrote: > Hi all, > > a question for you: how can I set my iptables firewall so that natted > lan users can use ftp in passive mode and have winmx, dc, > audiogalaxy, .... blocked ? I've tried out all that scripts/lists of > ip/... i've found on the net but nothing... the only way I found to > block file sharing is to close all ports 800:65535 but this way > passive ftp is blocked too.... :(( I'm a very beginner with iptables > so please be patient... You should use the nat- and conntrack modules for ftp. Not 100% sure of the names (ip_nat_ftp ip_conntrack_ftp). Then add a rule which allows related and established traffic (iptables -A FORWARD -m --state RELATED,ESTABLISHED -j ACCEPT). It is important that this rule comes before the rule blocking ports 800:65535. Use iptables -I ... if unsure. If the control connection for ftp is done on port 21 passive and active ftp should work then. greetings Axel
