How can I block incoming (FORWARD) ftp access to 10.150.125.0/24 and 172.16.136.0/24?

TIA

Would this work?

but what if i want to allow ftp access from inside my Network (192.168.0.0)

when 192.168.0.254 is ftp server in my network

please reply

Because port 21 is used to establish ftp connections that should work.

First of all enable port 21.
Then allow port 20 to go out to any other port (normal ftp port mode)
and allow all port > 1024 to acces the ftp server ports > 1024 (passive ftp mode)

Hello dear friend

why its FORWARD chain,rather than INPUT

can u explain it please

& as i understand it will block traffic from all IPs/all networks deatined to port 21

so what will happen to Local network. Will the hosts in local network be able to access ftp (port 21).?

Because there are multiple networks I assume there is a Linux router with multiple interfaces which is used as the firewall for all private networks and then you have to use the forward chain on this router. If you have one system directly connected to the internet then you are right and you have to use the input chain. You also might drop all connections on the ftp servers from the outside. But then you have to create sophisticated iptables rules so you can access the ftp server from the internal net. If you drop forwarding on the Linux router that's much easier.

hi framp

u did the excellent job. Its great.. So what i understood from this discussion is ..

1. In case of ftp is running in local network we use FORWARD on Linux router
2. In case of ftp is running same box as of Linux router we use INPUT

is it right sir?

I have the 2nd case means my Linux box is directly connected to the internet through DSL
its Linux router as well as ftp server/telnet server.So i think i have to use INPUT chain instead of FORWARD. Right?

Please reply

thanks for help again

yes you are right

@varindersingh, see Netfilter Traversal Diagramm it shows the tables and default rules a packet passes.

Hi friends

I got it.

Thanks for help