Search This Blog

Saturday, September 01, 2007

Re: Iptables and FTP problem

my rule:
-A FORWARD -i $LAN -o $EXT -m state --state NEW,ESTABLISHED,RELATED -p
tcp --dport 21 -j ACCEPT
"don't work. because it try to connect via port 5050 an so to Server and
not 21 !!!!"

-A FORWARD -i $EXT -o $LAN -m state --state ESTABLISHED,RELATED -p tcp
-j ACCEPT
can't solve problem.

On Sat, September 1, 2007 20:56, Phil Dyer wrote:
> Nope. Your rule says to allow related,established on port 21. It doesn't
> apply to port 20. Add a log rule to see what's being dropped.
>
> You can remove the --sport 21 and just allow in ANY established,related
> and that should work.
>
> phil
>
> On 9/1/2007 7:36 AM, Mahdi Rahimi wrote:
>
>> thanks phil But i think the port 20 is in RELATED state and no
>> connection need to be established. module ip_conntrack_ftp must correct
>> this problem.
>
> [snip]
>
>
>>>> ***filter
>>>> -A FORWARD -i $LAN -o $EXT -s 192.168.1.0/26 -p tcp --dport 21 -m
>>>> state --state NEW,ESTABLISHED,RELATED -j ACCEPT
>>>> -A FORWARD -i $EXT -o $LAN -p tcp --sport 21 -m state --state
>>>> ESTABLISHED,RELATED -j ACCEPT
>>>>
>>>>
>>
>
>
> --
> To UNSUBSCRIBE, email to debian-firewall-REQUEST@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact
> listmaster@lists.debian.org
>
>


-------------------------
rahimi{at}eaedu.net
rahimi_m{at}cse.shirazu.ac.ir


--
To UNSUBSCRIBE, email to debian-firewall-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

No comments: