duncan brown wrote:
No don't open up high ports. Just include a rule to accept not only packets for established connections, but also related ones like so:send us the output of the following command (ran as root)
iptables -L -n
also, remember that your ftp client is probably using PASSIVE transfers, which means you'll need a range of high level ports to be open, not just 21. i bet if you use the text mode ftp program on windows your transfers will work like a champ. (start -> run -> ftp)
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
The related entries get added to the connection table by the ip_conntrack_ftp module based on what ports are referenced on an ftp control connection to be used for a data connection.
And the best way to ensure the ip_conntrack_ftp module is loaded is by editing the line in /etc/sysconfig/iptables-config like so:
IPTABLES_MODULES="ip_conntrack_ftp"
-- ----------------------------------------------------------- "Spend less! Do more! Go Open Source..." -- Dirigo.net Chris Johnson, RHCE #807000448202021
