-----BEGIN PGP SIGNED MESSAGE-----
Alex Samad wrote:
> You should try and keep this on list
Sorry, hit reply instead of reply all.
> On Fri, Dec 05, 2008 at 02:17:42PM -0700, Robert L. Harris wrote:
> I've updated my rules to this: # # allow ftpd HARVARD="10.1.1.32"
> /sbin/modprobe nf_conntrack_ftp # General iptables -I INPUT -m
> state --state RELATED,ESTABLISHED -j ACCEPT iptables -A INPUT -p
> tcp --dport 21 -m state --state NEW -j ACCEPT iptables -A FORWARD
> -p tcp --dport 21 -m state --state NEW -j ACCEPT iptables -t nat -A
> PREROUTING -p tcp --dport 21 -j DNAT --to 10.1.1.32:21
> I think I confused myself though, do I need the other rules I had
> for port 20 or will the first INPUT rule above cover that?
>> have a look here http://slacksite.com/other/ftp.html (quick
>> google on ftp & ports).
>> It shows you how the ports are used for ftp.
>> The ftp contrack module that you where loading previous should
>> handle the "related" ports and allow them through, what I am not
> about is
>> weather it will handle the dnat'ing of those port. But then
>> again you could specify passive ftp only
>> here is another link
>> http://www.cyberciti.biz/faq/iptables-open-ftp-port-21/ (again
>> My strength is in itables not ftp (which is the reason for
>> Also anything to do with iptables and firewalls you should
> probably read
>> a tutorial on iptables
I've read both of those and understand how the ftp works. I've
spent the last 2 days googling.
Unfortunately it's all working now except how to get the iptables data
connection in passive
mode working. I can log in, etc just fine but when I do a "ls" after
issuing the "passive"
command it times out.
The second example looks good but doesn't handle the DNAT (the ftp
server is running on
another machine behind my firewall.
Robert L. Harris | GPG Key ID: E344DA3B
These are MY OPINIONS With Dreams To Be A King,
ALONE. I speak for First One Should Be A Man
no-one else. - Manowar
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (Darwin)
-----END PGP SIGNATURE-----
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact firstname.lastname@example.org