Don't know much about iptables, but I think that it's preventing me from FTP-ing on my local network. Have wu-ftp set up on machine A, and can ftp into the localhost with no problem. However, if I try to ftp into A from machine B the connection is refused. Port 21 is open on machine A. Machine A also serves as a firewall, web server, smtp server, and sql server. I'm interested in only allowing local (192.168.1.*) ftp transfers between machine A and machine B. I know absolutely nothing about iptables, but it appears as though the machine is accepting ssh, http, and smtp from anywhere - is this where the problem is?

Yeah, you probably need to specifically allow connections from this network. There are some other areas you may want to check as well.

A couple of things that will help out if you could post them **.

"iptables -L"

"cat /etc/hosts.allow"
"cat /etc/hosts.deny"

** X out any IP's you don't wish to show the world. (i.e. 192.168.0.3 becomes <my IP> or 192.168.0.4 becomes <my Webserver>, etc...)

Chain INPUT (policy ACCEPT)
target prot opt source destination
RH-Lokkit-0-50-INPUT all -- anywhere anywhere

Chain FORWARD (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

Chain RH-Lokkit-0-50-INPUT (1 references)
target prot opt source destination
ACCEPT udp -- anywhere anywhere udp spt:ntp dpt:ntp
LOG all -- <private-IP> anywhere LOG level warning prefix `TDG IP Subnet #2'
LOG all -- <private-IP> anywhere LOG level warning prefix `TDG IP Subnet #1'
DROP all -- <private-IP> anywhere
DROP all -- <private-IP> anywhere
LOG all -- 217.0.0.0/8 anywhere LOG level warning prefix `!!European Subnet!!'
ACCEPT udp -- anywhere anywhere udp spt:ntp dpt:ntp
ACCEPT udp -- <private-IP> anywhere udp spt:domain dpts:1025:65535
ACCEPT tcp -- anywhere anywhere tcp dpt:smtp flags:SYN,RST,ACK/SYN
ACCEPT tcp -- anywhere anywhere tcp dpt:http flags:SYN,RST,ACK/SYN
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh flags:SYN,RST,ACK/SYN
ACCEPT udp -- anywhere anywhere udp spts:bootps:bootpc dpts:bootps:bootpc
ACCEPT udp -- anywhere anywhere udp spts:bootps:bootpc dpts:bootps:bootpc
ACCEPT all -- anywhere anywhere
REJECT tcp -- anywhere anywhere tcp dpts:0:1023 flags:SYN,RST,ACK/SYN reject-with icmp-port-unreachable
REJECT tcp -- anywhere anywhere tcp dpt:nfs flags:SYN,RST,ACK/SYN reject-with icmp-port-unreachable
REJECT udp -- anywhere anywhere udp dpts:0:1023 reject-with icmp-port-unreachable
REJECT udp -- anywhere anywhere udp dpt:nfs reject-with icmp-port-unreachable
REJECT tcp -- anywhere anywhere tcp dpts:x11:6009 flags:SYN,RST,ACK/SYN reject-with icmp-port-unreachable
REJECT tcp -- anywhere anywhere tcp dpt:xfs flags:SYN,RST,ACK/SYN reject-with icmp-port-unreachable


hosts.allow and hosts.deny are both blank

If you have this system running on a private network and feel safe enough to flush the iptables, then you could do a quick test. run "iptables -F" which will remove all rules. Then try to connect again. If you are successful, then it is a firewall issue.

If this turns out to be the case, I can try to check the rules you posted and see if I can give you a specific line to add to your iptables file to allow the traffic you want.

The problem lies with your iptables settings below. You could add a second layer of security by using the hosts.allow and hosts.deny.

in /etc/hosts.deny add the following line
this (above) would block all wu-ftpd traffic except for clients from 192.168.1.*

From what I can see, the rules are pretty weird. If I knew a little more about what specifically you needed, I could try to help you clean this up. Below is what I can tell about it (although I am not an iptables expert)

The first rule allows all ntp (network time protocol) comms.
2nd, 3rd, & 6th rules - do some logging
4th & 5th - drop all outbound packets from <private-IP> (I assume you used <private-IP> for 2 different nets, you normally reflect that in a post by saying <private-IP1> and <private-IP2>)
7th - is a repeat of rule # 1
8th - accept all udp traffic from <private-IP> high ports 1025 through 65535 from any server on port 53 (DNS)
9th - accept any connections to smtp server (may not be a problem - on RH 9 sendmail is configured to only accept mail from localhost by default)
10th - accept any connections to http server
11th - accept any connections to ssh server
12th & 13th - both allow all udp (connectionless) bootp traffic bootps = BOOTP server bootpc = BOOTP client
14th - accept all traffic from anywhere to anywhere
15th - reject all tcp traffic not already explicitly allowed to ports 0 through 1023
16th - reject all traffic to nfs (redundant from rule 15)
17th - reject all udp traffic not already explicitly allowed to ports 0 through 1023
18th - reject all udp traffic to nfs (redundant from rule 17)
19th - reject all tcp traffic to ports 6000 to 6009
20th - reject all tcp traffic to xfs (X font server)

just an additional thought, if you use scp from machine B, you would be able to connect to machine A based on the rule # 11 (ssh)

but to get ftp allowed, you could add a line like this to your /etc/sysconfig/iptables (RedHat location)
you would want to add this above all other rules but below the part that says "-A FORWARD -j RH-Lokkit-0-50-INPUT". It doesn't have to be in that spot, but it would need to come before any REJECT rules.

Dohh!, just a recommendation, don't add it to the RH-Lokkit-0-50-INPUT chain. if you run "lokkit" it will clobber your rule.

mod
put that just above the "-A INPUT -j RH-Lokkit-0-50-INPUT" line
the do a "service iptables restart" to reread the config file