On 2008-07-02 Sathyainkara Balendra wrote: > Thanks for ur helpful answers. > I am using following settings now and it works: > #FTP-TABLE > *filter > > : INPUT DROP [0:0] > : FORWARD DROP [0:0] > : OUTPUT DROP [0:0] > > > -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT > -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT > > > -A INPUT -p tcp -s 212.74.114.60 --sport 20:21 -m state --state NEW \ > -j ACCEPT
This rule allows arbitrary inbound connections from 212.74.114.60:20 and 212.74.114.60:21 to any port on your host. Don't do that. If connections don't work without that line, check if you have FTP connection tracking support enabled in your kernel (and if the module is loaded in case it's compiled as a module). > -A OUTPUT -p tcp -d 212.74.114.60 --dport 20:21 -m state --state NEW \ > -j ACCEPT Please make sure connection tracking is enabled and working, and allow only port 21/tcp as destination port for new (FTP) connections. If you still can't connect after connection tracking is enabled, try sniffing the traffic with a protocol analyzer (e.g. Wireshark or tcpdump), Regards Ansgar Wiechers -- "Abstractions save us time working, but they don't save us time learning." --Joel Spolsky -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
