> > I have a problem allowing forwarding of passive internal ftp traffic and, > > at the same time disallowing ms-streaming (port 1755). > > > > Whenever I allow the passive ftp, it also allows ms-streaming going > > through. > > > > My rules are: > > > > iptables -A FORWARD -m state --state NEW,ESTABLISHED -s local_lan --sport > > highports --dport ftp -j ACCEPT > > iptables -A FORWARD -m state --state ESTABLISHED,RELATED -s local_lan > > --sport highports --dport highports -j ACCEPT > > Those cannot be all of your rules. > > Show us the rest of the rules and we might be able to suggest something. > > Antony. > You are right, of course, there are a lot more rules, but those are the ones that opens up ms-streaming traffic. Well, the complete set of rules I use for passive ftp is actually: # Accept port 21 out iptables -A FORWARD -p tcp -m state --state NEW,ESTABLISHED -s local_lan --sport highports -d all_hosts --dport ftp -j ACCEPT -i eth1 # eth1 = Internal nic #Accept reply on port 21 in iptables -A FORWARD -p tcp -m state --state ESTABLISHED -d local_lan --dport highports -s all_hosts --sport ftp -j ACCEPT -i eth0 # eth0 = External nic # Accept high-port to high-port out iptables -A FORWARD -p tcp -m state --state ESTABLISHED,RELATED -s local_lan --sport highports -d all_hosts --dport highports -j ACCEPT -i eth1 # Accept high-port to high-port reply in iptables -A FORWARD -p tcp -m state --state ESTABLISHED -d local_lan --dport highports -s all_hosts --sport highports -j ACCEPT -i eth0 When I uncomment these four iptables commands, ms-streaming passes through. When commented out, it does not. I have looked at the iptables -L output, and there is no other rules that has both source-ports and dest-ports set to highports (1024:65535). Bo
