Jonas Meurer a écrit :
What do the "-d **.**.***.**/31" address ranges represent ?
it is 62.75.128.98/31, which should be 62.75.128.98 and 62.75.128.99.
Actually I did not ask for their exact values but their meaning
network-wise. Because usually, when there is "-d <range>" in an INPUT
rule there is "-s <range>" in its OUTPUT counterpart or vice versa, but
both your INPUT and OUTPUT rule contain the same "-d <range>". So I was
wondering. Are these the client and server addresses ?
let's say, ftp-servers are on port 9621 and 9721. then i need to open
9620 and 9720 as well for ftp, correct?
Yes. But I repeat that opening 9620 and 9720 is effective for active
mode only. Passive mode won't work.
so what i am missing here:
iptables -A INPUT -i eth0 -m state --state NEW,ESTABLISHED,RELATED \
-m multiport -p tcp --dports 9621,9721 -d 62.75.128.98/31 -j ACCEPT
iptables -A OUTPUT -o eth0 -m state --state ESTABLISHED,RELATED \
-m multiport -p tcp --sports 9621,9721 -d 62.75.128.98/31 -j ACCEPT
iptables -A INPUT -i eth0 -m state --state NEW,ESTABLISHED,RELATED \
^^^
No need for NEW in this rule. This is return traffic.
-m multiport -p tcp --dports 9620,9720 -d 62.75.128.98/31 -j ACCEPT
iptables -A OUTPUT -o eth0 -m state --state NEW,ESABLISHED \
typo here ^^^^
-m multiport -p tcp --sports 9620,9720 -d 62.75.128.98/31 -j ACCEPT
I repeat : you don't need all those RELATED here (but they don't harm).
after using exactly these commands, i'm still not able to connect to the
ftp-servers.
if i try to login with lftp, it says [Connecting...], then
[FEAT negotation...] and then it hangs forever at
[Making data connection...].
This indicates that the control connection succeeds but the data
connection fails. Maybe lftp uses passive mode for the data connections
by default, then you have to disable it with "set ftp:passive-mode off"
so lftp uses active mode instead. You can also use the "debug" command
in lftp to get a more verbose output.
