On Monday 15 March 2004 12:57 am, Bo Jacobsen wrote:
> Well, the complete set of rules I use for passive ftp is actually:
>
> # Accept port 21 out
> iptables -A FORWARD -p tcp -m state --state NEW,ESTABLISHED -s local_lan
> --sport highports -d all_hosts --dport ftp -j ACCEPT -i eth1
>
> #Accept reply on port 21 in
> iptables -A FORWARD -p tcp -m state --state ESTABLISHED -d local_lan
> --dport highports -s all_hosts --sport ftp -j ACCEPT -i eth0
>
> # Accept high-port to high-port out
> iptables -A FORWARD -p tcp -m state --state ESTABLISHED,RELATED -s
> local_lan --sport highports -d all_hosts --dport highports -j ACCEPT -i
> eth1
>
> # Accept high-port to high-port reply in
> iptables -A FORWARD -p tcp -m state --state ESTABLISHED -d local_lan
> --dport highports -s all_hosts --sport highports -j ACCEPT -i eth0
I suggest you replace all the above rules with:
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -p tcp -s local_lan --dport 21 -j ACCEPT
and let us know how you get on.
If that doesn't solve the problem then please (a) post your complete ruleset
(note the word 'complete'), and (b) include all variables etc (such as
'local_lan') so that we know how you've defined things. The output from
"iptables -L -nvx; iptables -L -t nat -nvx" would be good.
Regards,
Antony.
--
The idea that Bill Gates appeared like a knight in shining armour to lead all
customers out of a mire of technological chaos neatly ignores the fact that
it was he who, by peddling second-rate technology, led them into it in the
first place.
- Douglas Adams in The Guardian, 25th August 1995
Please reply to the list;
please don't CC me.
