--- Mark Strasheim <[EMAIL PROTECTED]> wrote: > Aloha > > i have a singel interface and do the following iptables commands > everthings works as i should ( there are some more services with UDP ) > > iptables -N allowed > iptables -A allowed -j ACCEPT > iptables -A INPUT -p TCP --dport 22 -j allowed > iptables -A INPUT -p TCP --dport 21 -j allowed > iptables -A INPUT -p UDP --dport 68 -j allowed > iptables -A INPUT -m state --state RELATED -j allowed > iptables -A INPUT -m state --state ESTABLISHED -j allowed > iptables -A INPUT -j DROP > "-m state --state NEW" for your --dport rules. This way pkts will get to the ESTABLISHED rule and be procesed. When the ESTABLISHED gets the FTP-PORT cmd it will create the rule for the RELATED connection.
You should also put the rules in this order... ESTABLISHED RELATED NEW I don't know if there is a good reason for ding this, but I can't see why anyone would want to have it diffrent. > i can also login per ssh and connect to ftp, but scp and ftp auth don't > work. > I anderstand that they talk about a new port and that the firewall don't > see > the exchange of that data and therefor can get set the state engine to > related or established. > For ftp i loaded the con tracking module ... ( i know it for nat but i > hopped :) ) but i didn't work. > > My question is how can, with only a few lines, get this to work. > > with regards > Mark Strasheim > > __________________________________________________________ > Mit WEB.DE FreePhone mit hoechster Qualitaet ab 0 Ct./Min. > weltweit telefonieren! http://freephone.web.de/?mc=021201 > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact > [EMAIL PROTECTED] > > __________________________________ Do you Yahoo!? The all-new My Yahoo! - Get yours free! http://my.yahoo.com -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
