Hi,

Following an excellent tutorial (http://homepage.ntlworld.com/jandg-cooper/home_network/) I successfully setup a home network which consists of a redhat 7.3 server acting as a gateway and two clients (WinXP PC and a Win98 laptop). The gateway connects to the Net via a cable modem with a dynamic IP address and almost everything works brilliantly...

My one big problem is that I cannot ftp from the clients to external sites!!! The names/ip's resolve OK but then nothing. A ping from a client to an external site name shows the ip address being resolved but then the request just times out, as if the firewall is silently dropping the reply? (It happens on both W98 and XP but I can ping externally ok from the gateway itself) I think I have loaded the necessary modules - ip_conntrack_ftp and ip_nat_ftp (full list at the end)

I would be very grateful if somebody could have a look at the firewall script I am using and give me an idea why ftp/ping is not working (if it is to do with the firewall). And of course if you have any suggestions to improve it feel free.

It's probably something really simple that i have missed, but i don't know what to try!

Thanks


# eth0 is connected to the lan and eth1 is connected to NTL Cable modem

# Flush nat table and set policies
iptables -t nat -F
iptables -t nat -P PREROUTING ACCEPT
iptables -t nat -P POSTROUTING ACCEPT
iptables -t nat -P OUTPUT ACCEPT

# Masquerade the internet connection
iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE

# Flush Filter table and set policies
iptables -F
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT

# Allow email in
iptables -A INPUT -i eth1 -p TCP --dport smtp -j ACCEPT
iptables -A INPUT -i eth1 -p UDP --dport smtp -j ACCEPT

# -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
# The next settings open ports to allow NTL network management over
# the cable modem link.

# allow pings
iptables -A INPUT -i eth1 -p ICMP -j ACCEPT


# allow DHCP messages from the ubr
iptables -A INPUT -i eth1 -s 172.29.xxx.xxx -p UDP --dport bootpc -j ACCEPT

# allow DHCP messages from the NTL DHCP servers
iptables -A INPUT -i eth1 -s 62.252.32.3 -p UDP --dport bootpc -j ACCEPT
iptables -A INPUT -i eth1 -s 62.252.32.4 -p UDP --dport bootpc -j ACCEPT
# -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

# Disallow any other NEW and INVALID incoming or forwarded packets
# from the internet
iptables -A INPUT -i eth1 -m state --state NEW,INVALID -j DROP
iptables -A FORWARD -i eth1 -m state --state NEW,INVALID -j DROP


#[END]


The modules I have loaded are...

lsmod

Module Size Used by Not tainted
ip_conntrack_ftp 4768 0 (unused)
ip_nat_ftp 4160 0 (unused)
autofs 11940 0 (autoclean) (unused)
3c509 10624 1
3c59x 27432 1
ipt_state 1408 2 (autoclean)
ipt_MASQUERADE 2272 1 (autoclean)
iptable_nat 19348 2 (autoclean) [ip_nat_ftp ipt_MASQUERADE]
ip_conntrack 20044 3 (autoclean) [ip_conntrack_ftp ip_nat_ftp ipt_state ipt_MASQUERADE iptable_nat]
iptable_filter 2624 1 (autoclean)
ip_tables 13536 6 [ipt_state ipt_MASQUERADE iptable_nat iptable_filter]
ide-cd 29856 0 (autoclean)
cdrom 33184 0 (autoclean) [ide-cd]
ext3 64448 5
jbd 47608 5 [ext3]

It seems like you need to open TCP and UDP protocol on port 21.
The other thing is have you enabled your wuftp or proftp whatever you use for ftp server?

Lintadsl

I don't actually want to run an ftp service on the gateway, I just want to be able to ftp to external sites from a client within the network.

Did you solve this problem?? I have same situation here?

try
iptables -A FORWARD -i eth1 -m state --state INVALID -j DROP
against used
iptables -A FORWARD -i eth1 -m state --state NEW,INVALID -j DROP
above is not safe but I hope will help (pls inform me if helps)

Actually I have aDSL so I need to do that from ppp0 so I will try it and I will let you know

The problem was very simple in the end, IP forwarding did not survive a reboot! I did not check the simple stuff before assuming it must be the firewall.