> -----Original Message----- > From: netfilter-admin@xxxxxxxxxxxxxxxxxxx > [mailto:netfilter-admin@xxxxxxxxxxxxxxxxxxx] On Behalf Of Antony Stone > Sent: Wednesday, March 03, 2004 10:25 AM > To: netfilter@xxxxxxxxxxxxxxxxxxx > Subject: Re: Allowing FTP and internal but nothing else > > > On Wednesday 03 March 2004 5:18 pm, David Cannings wrote: > > > I am no guru but here is my 2c. > > > > > iptables -I INPUT -i eth0 -j ACCEPT > > > > This would accept any packet coming in on eth0, this is > fine as long > > as you didn't want to be more restrictive about this interface. > > > > > iptables -I INPUT -i eth1 -d port 21 -j ACCEPT > > > iptables -I INPUT -i eth1 -d port 20 -j ACCEPT > > > > Both should be "--dport", "-d" is destination, for hosts. > You'd use > > -d like this: > > > > iptables -I INPUT -d 192.168.0.1 -j ACCEPT > > > > Your rule above could be rewritten as: > > > > iptables -I INPUT -i eth1 --dport 21 -j ACCEPT > > If you want to specify a port, you must first specify a > protocol. Only TCP > and UDP use port numbers, therefore the protocol must be one of these. > > FTP uses TCP, so what you actually want to specify is: > > iptables -I INPUT -i eth1 -p tcp --dport 21 -j ACCEPT > > > For FTP, you might like to look into the FTP connection tracking > > helpers. Also, you may well need rules to allow established > or related > > packets. > > I agree. > > Regards, > > Antony. > > -- Thanks gentlemen, I appreciate it. For now I just want to be able to establish FTP traffic and deny everything else. My syntax is a throw over from Cisco I'm sure. :) I've noticed that I had to rearrange the lines as they get entered somewhat backward from what I am used to. This is what eventually worked: iptables -I INPUT -i eth0 -j ACCEPT iptables -I INPUT -i eth1 -j DROP iptables -I INPUT -i eth1 -p tcp --dport 21 -j ACCEPT iptables -I INPUT -i eth1 -p tcp --dport 20 -j ACCEPT Admittedly this far I have only established connections and not pulled anything. I will look into the connection tracking helpers but other than to simply keep an eye on FTP connections what does the "helpers" part do?
