Hi all
I've had a read around, and will admit i'm finding it difficult to work out precisely how to do this.
Before trying to modify
iptables --list
Chain INPUT (policy ACCEPT)
target prot opt source destination
RH-Firewall-1-INPUT all -- anywhere anywhere
Chain FORWARD (policy ACCEPT)
target prot opt source destination
RH-Firewall-1-INPUT all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain RH-Firewall-1-INPUT (2 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere icmp any
ACCEPT ipv6-crypt-- anywhere anywhere
ACCEPT ipv6-auth-- anywhere anywhere
ACCEPT udp -- anywhere 224.0.0.251 udp dpt:5353
ACCEPT udp -- anywhere anywhere udp dpt:ipp
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
I had a read through the documentation and issued the following
iptables -A INPUT -p tcp --dport 20:21 -j ACCEPT
After this,
iptables --list
Chain INPUT (policy ACCEPT)
target prot opt source destination
RH-Firewall-1-INPUT all -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere tcp dpts:ftp-data:ftp
Chain FORWARD (policy ACCEPT)
target prot opt source destination
RH-Firewall-1-INPUT all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain RH-Firewall-1-INPUT (2 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere icmp any
ACCEPT ipv6-crypt-- anywhere anywhere
ACCEPT ipv6-auth-- anywhere anywhere
ACCEPT udp -- anywhere 224.0.0.251 udp dpt:5353
ACCEPT udp -- anywhere anywhere udp dpt:ipp
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
Now, I *think* from what i've read that this rule should be active and allowing FTP connections to the server (it isn't) and that this setup isn't actually saved to disk until I issue a further command.
So a few questions
1. Why isn't my FTP rule working - I bet i've cocked it up haven't I
2. Do I need a rule for passive FTP - something like iptables -A INPUT -p tcp --dport 50000:50050 -j ACCEPT
3. As I understand it, rules have to be entered in a specific order, so if you have a 'reject everything' rule it must be last to allow your 'allow whatever' rules to pass. How does this work when adding rules at the command line as I am doing above?
Sorry for the long post and thanks very much in advance for any replies
Edit - Just noticed this may be better placed in networking - sorry