I'm running a webserver, which I have secured with iptables as follows: Chain INPUT (policy DROP) target prot opt source destination ACCEPT tcp -- <internal gateway> anywhere tcp dpt:ssh ACCEPT tcp -- anywhere anywhere tcp dpt:http ACCEPT udp -- <dns server> anywhere udp spt:domain
I now want to give FTP access to specific IP addresses for uploading content. I started using the following rules: iptables -A INPUT -p tcp -s <ftp client> --dport ftp -j ACCEPT iptables -A INPUT -p tcp -s <ftp client> --dport ftp-data -j ACCEPT which allows ACTIVE FTP to work properly. However, I also want to allow PASSIVE FTP, which I assumed would require the following rule: iptables -A INPUT -p tcp -s <ftp client> -m state --state RELATED -j ACCEPT Unfortunately this doesn't seem to work. I've checked that the module is loaded: [root@testbox root]# cat /proc/modules ip_conntrack_ftp 4096 0 (unused) ipt_state 1152 1 (autoclean) ip_conntrack 17068 2 (autoclean) [ip_conntrack_ftp ipt_state] ... iptable_filter 2272 0 (autoclean) (unused) ip_tables 11424 2 [ipt_state iptable_filter] ... I've reviewed some articles on the Intenet; however, these are generally oriented to protecting a box. Have I missed something basic, or should this work? Thanks in advance, Matt
