Re: iptables troubles
Sorry for the slow reply.
Yes, ftp is working without the iptables firewall on. So that is no problem.
I don't see why I should use a nat module, since I am not doing NAT.
It is a single server, directly connected to the internet. No LAN
behind. So no NAT.
However, this iptables script is still mysteriously blocking *some*
people from reaching my machine, while others can connect without
trouble. I still don't understand I am afraid. Anyone?
Pim
On Thu, 14 Oct 2004 15:07:38 +0200, Riccardo Tortorici
<riccardo.tortorici@email.it> wrote:
> Did you "modprobed" the nat FTP Module?
> modprobe ip_nat_ftp
>
> Did you allow also the ftp-data port?
> From /etc/services:
>
> ftp-data 20/tcp
> ftp 21/tcp
>
> bye
>
> Pim Bliek wrote:
> > Hi All,
> >
> > I still have trouble, with FTP. A user is able to login, but cannot
> > retrieve any data (also no 'ls' because of that). Here are the lines
> > in my fw-script about FTP:
> >
> > $IPT -t filter -A INPUT -p tcp -s 0/0 -d $NET --destination-port 20 !
> > --syn -j ACCEPT
> > $IPT -A INPUT -i $NET -m state --state NEW,ESTABLISHED,RELATED -p tcp
> > -s 0/0 -d $NET --dport 20 -j ACCEPT
> >
> > $IPT -t filter -A INPUT -p tcp -s 0/0 -d $NET --destination-port 21 -j ACCEPT
> > $IPT -A INPUT -i $NET -m state --state NEW,ESTABLISHED,RELATED -p tcp
> > -s 0/0 -d $NET --dport 21 -j ACCEPT
> >
> > What is wrong here?
> >
> > Pim
> >
> > On Wed, 13 Oct 2004 07:40:09 -0700 (PDT), Sergio Basurto
> > <basurto@canada.com> wrote:
> >
> >
> >
> >>
> >>On Wed, 13 Oct 2004 16:35:46 +0200, Pim Bliek wrote:
> >>
> >>
> >>>That worked! Thanx a lot!
> >>>I am not sure I understand how it works, but it works
> >>
> >>:)
> >>
> >>>Pim
> >>>
> >>>
> >>>On Wed, 13 Oct 2004 07:00:30 -0700 (PDT), Sergio
> >>
> >>Basurto
> >>
> >>><basurto@canada.com> wrote:
> >>>
> >>>>On Wed, 13 Oct 2004 15:37:35 +0200, Pim Bliek wrote:
> >>>>
> >>>>
> >>>>>Hi All,
> >>>>>
> >>>>>I am trying to get a firewall running, but I am no
> >>>>>networking expert.
> >>>>>I use Debian Sid, and kernel 2.4.25-1-386 (yes I
> >>>
> >>>need
> >>>
> >>>>>to upgrade ;)).
> >>>>
> >>>>(...)
> >>>>
> >>>>>Regards,
> >>>>>Pim Bliek
> >>>>>
> >>>>
> >>>>you must add something like this, addapt to your
> >>>
> >>>script
> >>>
> >>>>variables.
> >>>>iptables -A INPUT -i $EXTIF -m state --state
> >>>>NEW,ESTABLISHED,RELATED -p tcp -s $UNIVERSE -d
> >>
> >>$EXTIP
> >>
> >>>>--dport 80 -j ACCEPT
> >>>>
> >>>>In the line above you specify that allow connections
> >>>
> >>>to
> >>>
> >>>>your host in port 80.
> >>>>
> >>>>Also you can get excellent documentation in the
> >>>>following link:
> >>>>www.netfilter.org
> >>>>
> >>>>just addapt this to your script.
> >>>>
> >>>>I hope this help.
> >>>>
> >>>>I recommend you that separate your rules in the
> >>>>following order in your script
> >>>>
> >>>>INPUT
> >>>>OUTPUT
> >>>>FORWARD
> >>>>PREROUTING
> >>>>POSTROUTING
> >>>>
> >>>>in order to get it more readable.
> >>>>
> >>>>Regards.
> >>>>
> >>>>--
> >>>>Sergio Basurto J.
> >>>>
> >>>>If I have seen further it is by standing on the
> >>>>shoulders of giants. (Isaac Newton)
> >>>>--
> >>>>--
> >>>>
> >>
> >>
> >>Ing. Sergio Basurto Juárez
> >>Tel: 04455-85322945
> >>
> >
> >
> >
>
> --
> - Riccardo Tortorici -
> Linux Registered User #365170
> Count yourself @ http://counter.li.org/ !
> Proudly Running Debian GNU/Linux "Sid" - Linux Kernel 2.6.8.1
> --
> HTML email can be dangerous, is not always readable, wastes bandwidth
> and is simply not necessary please don't send them to me!
> If you don't know what I'm talking about please read this:
>
> http://www.georgedillon.com/web/netiquette.shtml
>
> --
> Email.it, the professional e-mail, gratis per te: http://www.email.it/f
>
> Sponsor:
> Telefonare all'estero risparmiando fino all'80%? Con Email.it Phone Card puoi, clicca e scopri tutti i vantaggi
> Clicca qui: http://adv.email.it/cgi-bin/foclick.cgi?mid=2683&d=14-10
>
>
>
>
> --
> To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
>
>
Reply to: