Firewall blocking FTP

Dan Egli <dan@xxxxxxxxxxxxxxxxxxxxxxx> · Sat, 13 Sep 2003 00:10:13 -0600

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Ok. I goofed somewhere. I setup a firewall to do port forwarding, ip
masquerading, and port blocking. All seems to work fine, EXCEPT that I
cannot ftp. So how can I modify the rules shown below (from
iptables-save) to make port AND pasv ftp work? It only seems to be ftp.

Thanks!

- --- Dan

# Generated by iptables-save v1.2.8 on Thu Sep 11 20:15:39 2003
*nat
:PREROUTING ACCEPT [1096:83209]
:POSTROUTING ACCEPT [1873:150574]
:OUTPUT ACCEPT [3386:269119]
- -A PREROUTING -s ! 192.168.0.0/255.255.255.0 -p tcp -m multiport
- --dports 8021,8023,webcache,binkp,65535,3021 -j DNAT --to-destination
192.168.0.10
- -A PREROUTING -s ! 192.168.0.0/255.255.255.0 -p tcp -m tcp --dport 23 -j
DNAT --to-destination 192.168.0.10:8023
- -A POSTROUTING -o eth1 -j MASQUERADE
COMMIT
# Completed on Thu Sep 11 20:15:39 2003
# Generated by iptables-save v1.2.8 on Thu Sep 11 20:15:39 2003
*filter
:INPUT DROP [0:0]
:FORWARD ACCEPT [20509:13605663]
:OUTPUT ACCEPT [17786:3595002]
- -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
- -A INPUT -p tcp -m tcp --dport 2064 -j ACCEPT
- -A INPUT -p tcp -m multiport --dports 8021,8023,webcache,binkp,65535 -j
ACCEPT
- -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
- -A INPUT -i eth0 -p udp -m udp --sport 137 -j ACCEPT
- -A INPUT -i eth0 -p tcp -m tcp --dport 139 -j ACCEPT
- -A INPUT -p tcp -m multiport --dports
smtp,ftp,telnet,ssh,sunrpc,8025,pgpkeyserver -j ACCEPT
- -A INPUT -p tcp -m multiport --dports
telnet,ssh,domain,nntp,ntp,printer,pop3,imap,http,https,netbios-ns,netbios-dgm,netbios-ssn,sunrpc
- -j ACCEPT
- -A INPUT -p udp -m multiport --dports
domain,ntp,router,netbios-ns,netbios-dgm,netbios-ssn -j ACCEPT
- -A INPUT -i lo -j ACCEPT
- -A INPUT -p udp -m multiport --dports daytime,time,utime,timed -j ACCEPT
- -A INPUT -p tcp -m tcp --dport 11370 -j ACCEPT
- -A INPUT -i eth1 -p icmp -m limit --limit 3/sec -m icmp --icmp-type 8 -j
ACCEPT
- -A INPUT -j REJECT --reject-with icmp-host-unreachable
COMMIT
# Completed on Thu Sep 11 20:15:39 2003

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (MingW32)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQE/YrTFxQEzeXtVwzoRAjJ5AKCeGhkcvz32rk6Dkrqr/6SgzBMA+ACgzRmv
PUcAJRClZ0SF4CGiu7nbQ+A=
=UTJ2
-----END PGP SIGNATURE-----