On Thu, 6 Jun 2002, Antony Stone wrote: > On Thursday 06 June 2002 5:30 pm, Erik Pagel wrote: > > > > Please can you tell us whether you are trying to ftp from this machine > > > with the netfilter rules on, or is the netfilter machine acting as a > > > router between the ftp client and server ? > > > > Both, I want so send files from this machine and this machine also act as > > router for my internal network. > > That the reason why I apply the rules to all three chains. > > Okay. Let's deal with those two requirements one at a time. > > First, to use this machine as an ftp client to a machine on the Internet: > > # standard policy on all chains > iptables -P INPUT DROP > iptables -P OUTPUT DROP > iptables -P FORWARD DROP > > # allow ftp control connections outbound > iptables -A OUTPUT -p tcp --dport 21 -j ACCEPT > # allow replies back from ftp servers > iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT > # if you want to use names your firewall must be able to do DNS lookups > iptables -A OUTPUT -p tcp --dport 53 -j ACCEPT > iptables -A OUTPUT -p udp --dport 53 -j ACCEPT >
Some FTP sites use auth which can cause connection timeouts with that ruleset. For safety, I recommend adding iptables -A INPUT -p tcp --dport 113 -j REJECT -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ [EMAIL PROTECTED]
