iptables rule problems

Hi folks,

I've a lot of problems with iptables configuration on my RH 9. In
particular when I try to connect with FTP client (port 21).
I can use correctly SSH and HTTP protocol, only FTP appears not
enabled! When I try to connect via FTP onto my linux box the session
was stalled.

Below, I have showed my rules:

----------------------------------
iptables --flush
iptables --delete-chain
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
iptables -A INPUT -s 255.0.0.0/8 -j LOG --log-prefix "Spoofed IP"
iptables -A INPUT -s 255.0.0.0/8 -j DROP
iptables -A INPUT -s 0.0.0.0/8 -j LOG --log-prefix "Spoofed IP"
iptables -A INPUT -s 0.0.0.0/8 -j DROP
iptables -A INPUT -s 127.0.0.0/8 -j LOG --log-prefix "Spoofed IP"
iptables -A INPUT -s 127.0.0.0/8 -j DROP
iptables -A INPUT -s 192.168.0.0/16 -j LOG --log-prefix "Spoofed IP"
iptables -A INPUT -s 192.168.0.0/16 -j DROP
iptables -A INPUT -s 172.16.0.0/12 -j LOG --log-prefix "Spoofed IP"
iptables -A INPUT -s 172.16.0.0/12 -j DROP
iptables -A INPUT -s 10.0.0.0/8 -j LOG --log-prefix "Spoofed IP"
iptables -A INPUT -s 10.0.0.0/8 -j DROP
iptables -A INPUT -p tcp ! --syn -m state --state NEW -j LOG
--log-prefix "Stealth attempt"
iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
iptables -A INPUT -j ACCEPT -m state --state ESTABLISHED,RELATED
iptables -A INPUT -p tcp -j ACCEPT --dport 21 -m state --state NEW
iptables -A INPUT -p tcp -j ACCEPT --dport 22 -m state --state NEW
iptables -A INPUT -p tcp -j ACCEPT --dport 80 -m state --state NEW
iptables -A INPUT -p udp -m udp -s 0/0 --sport 67:68 -d 0/0 --dport
67:68 -i eth0 -j ACCEPT
iptables -A INPUT -p udp -m udp -s 0/0 --sport 67:68 -d 0/0 --dport
67:68 -i eth1 -j ACCEPT
iptables -A INPUT -p udp -m udp -s 10.212.44.1 --sport 53 -d 0/0 -j
ACCEPT
iptables -A INPUT -p udp -m udp -s 10.212.44.4 --sport 53 -d 0/0 -j
ACCEPT
iptables -A INPUT -j LOG --log-prefix "Default dropped"
iptables -I OUTPUT 1 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p udp --dport 53 -m state --state NEW -j ACCEPT
iptables -A OUTPUT -j LOG --log-prefix "Default dropped"
----------------------------------

Any ideas?

Many thanks for your suggestions!

Kauna

1. /sbin/modprobe ip_conntrack_ftp
2. open the 20 (ftp-data) port
3. try to use "passive mode" in your ftp client

Mike