Very Computer

We have a small office running a lan with the usual masquerading and
forwarding that allows us to use 10.0.0.1/8 as our LAN, and a single IP as
the router outbound interface.  The router is the Linux Firewall box, and
all the traffic *APPEARS* to be handled correctly, web pages and the like.  
But one user needs access to an FTP server that requires non-passive FTP.

Can someone tell me how to set up a rule that will allow all of the random
data ports that FTP uses for things like " ls -al " and the like?  FTP does
a PORT command to establish this sort of thing, from what I remember, but
it's totally random if I recall.  *scratching head*.  I don't want to
defeat the purpose of the firewall by just allowing oodles of ports to
willy-nilly be ACCEPTed.  

And please, if you write, could you copy under email to irishboy at
Imadethis dot com?  I'd really appreciate it. !!!!

Mairhtin O'Feannag

--
Jeremy A. Gray

"Remember the Pueblo." -- the Fourth Law of Marvin

There's stuff there about active and passive ftp...

--
Steve Webster
Remove the 'nospam' to get my email address.

## FTP
iptables -A OUTPUT -p tcp --dport 21 -m state --state NEW,ESTABLISHED -j
ACCEPT
iptables -A INPUT -p tcp --sport 21 -m state --state ESTABLISHED -j ACCEPT
# active
iptables -A OUTPUT -p tcp --dport 20 -m state --state ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp --sport 20 -m state --state ESTABLISHED,RELATED -j
ACCEPT

you can add source and destination to these lines to define your user and
the ftp-server ...

ReadU
Andi

-A FORWARD -p tcp -m tcp --sport 20 -m state --state RELATED -j ACCEPT

Also add a line in /etc/modules.conf:

add above iptable_nat ip_nat_ftp