I had this rule in my file as well. I am pretty sure that this takes care of the new connections. ( the cdmz-cnet is a chain that is jumped to from the FORWARD chain ) $IPT -A cdmz-cnet -p tcp --dport 21 -j ACCEPT ----- Original Message ----- From: "Ralf Spenneberg" <lists@xxxxxxxxxxxxxx> To: "Peter Marshall" <peter.marshall@xxxxxxxxx> Cc: "Netfilter" <netfilter@xxxxxxxxxxxxxxxxxxx> Sent: Tuesday, August 12, 2003 5:49 PM Subject: Re: iptables and the RELATED option > Am Die, 2003-08-12 um 20.53 schrieb Peter Marshall: > > Hi, My name is Peter Marshall. I am having some problems letting ftp > > through my firewall without opening all of the ports. I was trying to get > > RELATED to work, but for some reason it will not. Here is an example of > > what my file looks like > > > > $TABLENAME -A FORWARD -d x.x.x.x -o eth2 -j mychain > > > > $TABLENAME -A mychain -m state --state ESTABLISHED,RELATED -j ACCEPT > > $TABLENAME -A mychain -j DROP > 1. > You need a rule which allows new connections to the FTP-Server. > > Additionally you have to load the module ip_conntrack_ftp > If using NAT you have to load ip_nat_ftp. > > Cheers, > > Ralf > -- > Ralf Spenneberg > RHCE, RHCX > > Book: Intrusion Detection für Linux Server http://www.spenneberg.com > IPsec-Howto http://www.ipsec-howto.org > Honeynet Project Mirror: http://honeynet.spenneberg.org > >
