Thanks a lot for the detailed explanation. Comments inline. On Wed, Aug 13, 2003 at 03:39:39PM -0700, Daniel Chemko wrote: > ->> You probably want at least: > ->> modprobe ipt_conntrack_ftp > ->> modprobe ipt_nat_ftp ok. > $IPTABLES -F > $IPTABLES -F -t nat > > ->> Set this AFTER you have setup all your rules, otherwise you have a > hole for hackers to reach through while applying rules ?????? But this will erase all the rules which we have set if you do it at last. > ->> Should instead be a related rule: > ->> $IPTABLES -A INPUT -i lo -j ACCEPT # All Outbounds are ok > ->> $IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT # Got it. Great. > ->>Only TCP connections, not UDP and -s 0/0 is redundant > $IPTABLES -A INPUT -p tcp -s 0/0 --dport 21 -j ACCEPT [...] Ok. A bit OT here, but why not UDP? /etc/services lists udp also for the same. > $IPTABLES -A INPUT -p udp -s 0/0 --dport 80 -j ACCEPT > ->> This will not work for responses. Use this as well: > ->> $IPTABLES -A INPUT -p icmp --icmp-type 0 -j ACCEPT if you want > internet pings from the firewall to work > $IPTABLES -A INPUT -p icmp -s $LAN_IP_RANGE -j ACCEPT What is wrong with my rules? > ->> This section is not needed. Set: > ->> iptables -P OUTPUT ACCEPT Ok. Then why not the same for FORWARD chain too? Since we are forwarding everything from LAN outside as well? If we want people to just do ftp and nothing else, will this be ok, iptables -P FORWARD DROP iptables -A FORWARD -p tcp -s 192.168.10.0/24 -d 0/0 --dport 21 -j ACCEPT Thanks a lot for the wonderful explanation. With warm regards, -Payal -- "Visit GNU/Linux Success Stories" http://payal.staticky.com Guest-Book Section Updated.
