I'm (trying) to build a firewall for an FTP server I built for work and the iptables howto and man page aren't of much help. Basically, I want to only allow ftp connections and ssh connections so I can remotely admin. Here is what I tried:

iptables -P INPUT DROP
iptables -A INPUT -p tcp --dport ftp -j ACCEPT
iptables -A INPUT -p tcp --dport ssh -j ACCEPT

The problem is that when I have the policy for the input table set to DROP, I can't ftp to the box at all (the connection request times out). When I set the policy to ACCEPT, it works normally. This says to me that this rule isn't catching my FTP connection requests the way I think it should be. Any tips? Thanks.

You need ftp-data (TCP port 20, UDP port 20) as well.
*One aid when trying to fix/find stuff out is to add logging to rules. Granted, it may be a lot of logging to wade tru, but it should make it easier to see what gets blocked.

Very frustrating. Here is my IPtables as we speak, and I still can't log in via ftp:

Chain INPUT (policy DROP)
num target prot opt source destination
1 ACCEPT tcp -- anywhere anywhere tcp dpt:ftp-data
2 ACCEPT tcp -- anywhere anywhere tcp dpt:ftp
3 ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
4 ACCEPT udp -- anywhere anywhere udp dpt:ftp-data
5 ACCEPT udp -- anywhere anywhere udp dpt:ftp

Chain FORWARD (policy ACCEPT)
num target prot opt source destination

Chain OUTPUT (policy ACCEPT)
num target prot opt source destination

The log file shows the system recieving a series of TCP SYN packets from my local gateway (indicating it is coming in from the internet) directed to the FTP server port 21. But still I can't log into it. As soon as I change the INPUT policy to ACCEPT, everything works. What am I missing here that the firewall isn't catching these incoming connections?

having input policy to drop if far from firewall. You should go over to http://www.linuxguruz.org/iptables/ and check those scripts
You should at least set forward policy to drop and then let established connections go through
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

also check -t nat (nat tables) if there is anything it shouldn't be

good luck

I'm just about convinced that linux hates me and will do everything that it can to kill my resolve. Here is today's update:

I went to the page that Noerr suggested and decided on the following script: http://www.linuxguruz.org/iptables/s...rewall_010.txt

When I ran the script, it gave me a ton of errors: ": command not found" for just about every line in the script; "Bad argument DROP", "Try 'iptables -h' or 'iptables --help' for more information."; more than a few "'ad arguement `" errors.

I have commented out a few lines about connections I don't want to allow like telnet and www. I commented out the first few lines about "modprobe ip_tables", etc. because they were giving me errors and this seemed to help cut down on teh number of error messages. The only other thing I have done to modify this script is to add echos throughout the script to give me an idea of where some of these errors are coming from (see the results above). I also commented out the lines about setting the default policy to drop because when they executed, the box denied every connection, including my SSH connection (which you will note should have been allowed by this script). After the script is run, 'iptables -L' yields the following:

Chain INPUT (policy ACCEPT)
target prot opt source destination
syn-flood tcp -- anywhere anywhere tcp flags:SYN,RST,ACK/SYN
DROP tcp -- anywhere anywhere tcp flags:!SYN,RST,ACK/SYN state NEW
LOG all -f anywhere anywhere LOG level warning prefix `IPTABLES FRAGMENT: '
DROP all -f anywhere anywhere
ACCEPT tcp -- anywhere anywhere tcp spt:ssh state ESTABLISHED
ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED
LOG udp -- anywhere anywhere LOG level warning prefix `IPTABLES UDP-IN: '
LOG icmp -- anywhere anywhere LOG level warning prefix `IPTABLES ICMP-IN: '
LOG tcp -- anywhere anywhere LOG level warning prefix `IPTABLES TCP-IN: '
LOG all -- anywhere anywhere LOG level warning prefix `IPTABLES PROTOCOL-X-IN: '

Chain FORWARD (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh state NEW,ESTABLISHED
ACCEPT icmp -- anywhere anywhere state NEW,RELATED,ESTABLISHED
LOG udp -- anywhere anywhere LOG level warning prefix `IPTABLES UDP-OUT: '
LOG icmp -- anywhere anywhere LOG level warning prefix `IPTABLES ICMP-OUT: '
LOG tcp -- anywhere anywhere LOG level warning prefix `IPTABLES TCP-OUT: '
LOG all -- anywhere anywhere LOG level warning prefix `IPTABLES PROTOCOL-X-OUT: '

Chain syn-flood (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere limit: avg 1/sec burst 4
DROP all -- anywhere anywhere

Can someone please tell me why iptables hates me? I am running Mandrake 8.2 with iptables v 1.2.5. TIA.

I ran into a similair problems because on my installation, ipchains was enabled by default, not iptables. Rund chkconfig and look for ipchains. Make sure it is set to off at all run levels.

Switching over to a more complex firewall script is not helpful in this situation. The first thing to do when you have such a strange problem and it is reproducable, is to find out what you can do to make it work with as few changes as possible.

And to truckstuff:
You say that as soon as you change the INPUT policy to ACCEPT, it works. This means that you should log the packets that are being DROPped by the INPUT chain. You should inspect the packets being logged to see which ones belong to the ftp connection or connection attempt.
You can do this by adding the following rule:

iptables -A INPUT -j LOG --log-level 6 --log-prefix "BLOCKED PACKET: "

If you're being spammed with packets this could crash syslog. In that case you need to add "-m limit". The reason you should not add that right away is that you preferably want to see _all_ packets that are being dropped.

Finally, it's very important that at the start of your firewall script, you clear all chains.

iptables -F
iptables -X
iptables -t mangle -F
iptabels -t mangle -X
iptables -t nat -F
iptabels -t mangle -X

I noticed you had a line like this in the middle of your INPUT rules:

DROP all -f anywhere anywhere

I don't know what -f does, but if this line simply DROPS all packets, the lines that come after it have no effect at all.
Probably a left-over line from a previous run of the script.