Thanx, I was missing the following line. All seems to be good now. Thanx for the help. -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT Landon -----Original Message----- From: Peter Marshall [mailto:peter.marshall@xxxxxxxxx] Sent: Tuesday, August 26, 2003 12:00 PM To: Landon Chelf; netfilter@xxxxxxxxxxxxxxxxxxx Subject: Re: Broken ftp through iptables If you want to use passive ftp you have to allow stuff destined to port 21 and you also have to allow ( for the commands) traffic to come in on some port that you don't get to pick. The way to to this without actually opening a whole bunch of ports is like this >From inside network going out and on forward chain -p tcp --dport 21 -j ACCEPT -p tcp -m state --state RELATED - j ACCEPT FROM outside network back in on the Forward chain -p tcp -m state --state ESTABLISHED -j ACCEPT If you want to do Active ftp .... well .... trust me, you dont want to do this :) ----- Original Message ----- From: "Landon Chelf" <landonc@xxxxxxxxxxxxxxx> To: <netfilter@xxxxxxxxxxxxxxxxxxx> Sent: Tuesday, August 26, 2003 12:21 PM Subject: Broken ftp through iptables > Hello, > > I've ran into a recent problem both on rh8 and rh9 using iptables. > I've setup my firewall to drop everything incomming and forward and am > only allowing certain ports to be open. I've opened ftp (port 21 tcp) > and I can connect via FTP from one machine and authenticate, but when > I issue my first command like "ls" for instance the connection locks > up and won't do anything. Is there a way to fix this? > > Landon > >