OPEN FTP PORT BEGGINER

Hi all...


After trying milions of iptables commands... i gave up and i am here
to ask if someone in the world can help me just open an FTP port of my
redhat 9 iptables...

It's just this!!!

I have a simple rule for forwarding packeges to 192.168..., and i
need to open just mine(the server) FTP port!



Thanks!!!

First, you have to tell us what iptables syntax you used milion times
..... for opening a ftp port?

Have you used these modules to be loaded in kernel?

insmod ip_nat_ftp
insmod ip_conntrack_ftp
insmod ip_conntrack
insmod iptable_nat

Basically these are required as ftp client does send a "PORT"
commands to the server, requesting to open another or more connections
to an IP address and port number.

At the same time do you want your client using passive mode? more
secure.

When you have to open a connection ....

iptables -A FORWARD -i $EXTIF -o $INTIF -p tcp --sport 21 -m state
--state ESTABLISHED -j ACCEPT
iptables -A FORWARD -i $INTIF -o $EXTIF -p tcp --dport 21 --sport
3333:
-m state --state NEW,ESTABLISHED -j ACCEPT

Like when you need to send the port command ...

iptables -A FORWARD -i $EXTIF -o $INTIF -p tcp --sport 20 --dport
3333:
-m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i $INTIF -o $EXTIF -p tcp --dport 20 -m state
--state ESTABLISHED -j ACCEPT

Better to use these kind of rules when opening up a passive mode ....

iptables -A FORWARD -i $EXTIF -o $INTIF -p tcp --sport 3333: --dport
3333: -m state --state ESTABLISHED -j ACCEPT
iptables -A FORWARD -i $INTIF -o $EXTIF -p tcp --sport 3333: --dport
3333: -m state --state ESTABLISHED,RELATED -j ACCEPT

just replace port 3333 with anything above 1023!


HTH

raqueeb hassan
bangladesh

First, thanks....


Second, i wrote

EXTIF=eth0 #internet
INTIF=eth1 #local net

3333: #changed to 1020

and runned your script as it is.


Than, i asked a friend of mine at internet to click(IE) on
ftp://myserverip/


Result: The page could not be found

My ftp server is runnig to my local net.

I switched eth0 and eth1 as a begginer, but still not working...


About the modules, i think if they are not installed, your script
wouldn't run, isn't?

iptables reported no bug on running the script...


Remember, i don't want to forward packages to my local... just open
my server ftp port to the web.

Again, thanks.


(E-Mail Removed) (Raqueeb Hassan) wrote in message news:<(E-Mail Removed). com>...
> First, you have to tell us what iptables syntax you used milion times
> .... for opening a ftp port?
>
> Have you used these modules to be loaded in kernel?
>
> insmod ip_nat_ftp
> insmod ip_conntrack_ftp
> insmod ip_conntrack
> insmod iptable_nat
>
> Basically these are required as ftp client does send a "PORT"
> commands to the server, requesting to open another or more connections
> to an IP address and port number.
>
> At the same time do you want your client using passive mode? more
> secure.
>
> When you have to open a connection ....
>
> iptables -A FORWARD -i $EXTIF -o $INTIF -p tcp --sport 21 -m state
> --state ESTABLISHED -j ACCEPT
> iptables -A FORWARD -i $INTIF -o $EXTIF -p tcp --dport 21 --sport
> 3333:
> -m state --state NEW,ESTABLISHED -j ACCEPT
>
> Like when you need to send the port command ...
>
> iptables -A FORWARD -i $EXTIF -o $INTIF -p tcp --sport 20 --dport
> 3333:
> -m state --state ESTABLISHED,RELATED -j ACCEPT
> iptables -A FORWARD -i $INTIF -o $EXTIF -p tcp --dport 20 -m state
> --state ESTABLISHED -j ACCEPT
>
> Better to use these kind of rules when opening up a passive mode ....
>
> iptables -A FORWARD -i $EXTIF -o $INTIF -p tcp --sport 3333: --dport
> 3333: -m state --state ESTABLISHED -j ACCEPT
> iptables -A FORWARD -i $INTIF -o $EXTIF -p tcp --sport 3333: --dport
> 3333: -m state --state ESTABLISHED,RELATED -j ACCEPT
>
> just replace port 3333 with anything above 1023!
>
>
> HTH
>
> raqueeb hassan
> bangladesh