Re: no scp or ftp
--- Mark Strasheim <Strasheim@web.de> wrote:
> Aloha
>
> i have a singel interface and do the following iptables commands
> everthings works as i should ( there are some more services with UDP )
>
> iptables -N allowed
> iptables -A allowed -j ACCEPT
> iptables -A INPUT -p TCP --dport 22 -j allowed
> iptables -A INPUT -p TCP --dport 21 -j allowed
> iptables -A INPUT -p UDP --dport 68 -j allowed
> iptables -A INPUT -m state --state RELATED -j allowed
> iptables -A INPUT -m state --state ESTABLISHED -j allowed
> iptables -A INPUT -j DROP
>
"-m state --state NEW" for your --dport rules. This way pkts will get to
the ESTABLISHED rule and be procesed. When the ESTABLISHED gets the
FTP-PORT cmd it will create the rule for the RELATED connection.
You should also put the rules in this order...
ESTABLISHED
RELATED
NEW
I don't know if there is a good reason for ding this, but I can't see why
anyone would want to have it diffrent.
> i can also login per ssh and connect to ftp, but scp and ftp auth don't
> work.
> I anderstand that they talk about a new port and that the firewall don't
> see
> the exchange of that data and therefor can get set the state engine to
> related or established.
> For ftp i loaded the con tracking module ... ( i know it for nat but i
> hopped :) ) but i didn't work.
>
> My question is how can, with only a few lines, get this to work.
>
> with regards
> Mark Strasheim
>
> __________________________________________________________
> Mit WEB.DE FreePhone mit hoechster Qualitaet ab 0 Ct./Min.
> weltweit telefonieren! http://freephone.web.de/?mc=021201
>
>
> --
> To UNSUBSCRIBE, email to debian-firewall-REQUEST@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact
> listmaster@lists.debian.org
>
>
__________________________________
Do you Yahoo!?
The all-new My Yahoo! - Get yours free!
http://my.yahoo.com
Reply to: