iptables ftp problem

can someone tell me why i can't connect to any ftp site with the following rules:

#Turn on outgoing communication iptables -A OUTPUT -p tcp --dport 53 -j ACCEPT iptables -A OUTPUT -p udp --dport 53 -j ACCEPT iptables -A OUTPUT -p tcp -m multiport --destination-ports 20,21,22,25,43,80,82,119,123,137,138,139 -m state --state NEW -j ACCEPT iptables -A OUTPUT -p tcp -m multiport --destination-ports 143,389,443,445,554,2628,1755,4321,5050 -m state --state NEW -j ACCEPT iptables -A OUTPUT -p udp -m multiport --destination-ports 20,21,22,25,43,80,82,119,123,137,138,139 -m state --state NEW -j ACCEPT iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT iptables -A OUTPUT -m state --state INVALID -j LOG --log-prefix "--DROP:OUTPUT INVALID-- " iptables -A OUTPUT -m state --state INVALID -j DROP iptables -A OUTPUT -j LOG --log-prefix "--DROP:OUTPUT NOT MATCHED-- " iptables -A OUTPUT -j DROP

Modifying winxp parbreastion sizes with Knoppix
Been googling using various sets of descriptions for fixing this, but am not having any luck. System: Phoenix - Award BIOS v6.00PG WinXP Pro (no SPs)-SuSE 9.1 Pro...

Parbreastioning tape
The problem with tape is that one can only write at the end to keep the previous data intact. No files can be replaced on the...

i get the following entries in the log for rutgers university and indiana university for example: May 12 12:08:23 localhost kernel: --DROP:OUTPUT NOT MATCHED-- IN= OUT=eth0 SRC=192.168.2.101 DST=165.230.246.3 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=22985 DF PROTO=TCP SPT=42064 DPT=44763 WINDOW=5840 RES=0x00 SYN URGP=0

May 12 12:09:21 localhost kernel: --DROP:OUTPUT NOT MATCHED-- IN= OUT=eth0 SRC=192.168.2.101 DST=156.56.247.193 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=821 DF PROTO=TCP SPT=42068 plus 1 DPT=31170 WINDOW=5840 RES=0x00 SYN URGP=0

if i were to take off the 80 or 143 in the -m multiport line, then i can't surf or read my IMAP mail. but when i put them back in, everything is fine. what am i missing that won't allow me to connect to an ftp server?

i know that if i added 'NEW" to the -m state --state RELATED,ESTABLISHED -j ACCEPT then it works, but then *every* port will get through (out) and i don't even need the '-m multiport' line at all. i'd rather define which ports get out.

am i being paranoid, and should just use the 'NEW' with RELATED,ESTABLISHED? is the -m multiport line going overboard? and why does every other port work except for ftp, if i don't have the 'NEW' included?

i'll post more of my iptables rules if it's needed. cheers

-- there's no place like ~ there's no place like ~ (remove eh to email.)

List | Previous | Next

Modifying winxp parbreastion sizes with Knoppix

Linux groups from Newsgroups

The #1 Usenet Provider on the Internet

What Linux distro for a P3 computer 3534

PLEX86 x86- Virtual Machine (VM) Program


	Plex86 \| CVS \| Mailing List \| Download \| Linux \| Newsgroups

		iptables ftp problem can someone tell me why i can't connect to any ftp site with the following rules: #Turn on outgoing communication iptables -A OUTPUT -p tcp --dport 53 -j ACCEPT iptables -A OUTPUT -p udp --dport 53 -j ACCEPT iptables -A OUTPUT -p tcp -m multiport --destination-ports 20,21,22,25,43,80,82,119,123,137,138,139 -m state --state NEW -j ACCEPT iptables -A OUTPUT -p tcp -m multiport --destination-ports 143,389,443,445,554,2628,1755,4321,5050 -m state --state NEW -j ACCEPT iptables -A OUTPUT -p udp -m multiport --destination-ports 20,21,22,25,43,80,82,119,123,137,138,139 -m state --state NEW -j ACCEPT iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT iptables -A OUTPUT -m state --state INVALID -j LOG --log-prefix "--DROP:OUTPUT INVALID-- " iptables -A OUTPUT -m state --state INVALID -j DROP iptables -A OUTPUT -j LOG --log-prefix "--DROP:OUTPUT NOT MATCHED-- " iptables -A OUTPUT -j DROP Modifying winxp parbreastion sizes with Knoppix Been googling using various sets of descriptions for fixing this, but am not having any luck. System: Phoenix - Award BIOS v6.00PG WinXP Pro (no SPs)-SuSE 9.1 Pro... Parbreastioning tape The problem with tape is that one can only write at the end to keep the previous data intact. No files can be replaced on the... i get the following entries in the log for rutgers university and indiana university for example: May 12 12:08:23 localhost kernel: --DROP:OUTPUT NOT MATCHED-- IN= OUT=eth0 SRC=192.168.2.101 DST=165.230.246.3 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=22985 DF PROTO=TCP SPT=42064 DPT=44763 WINDOW=5840 RES=0x00 SYN URGP=0 May 12 12:09:21 localhost kernel: --DROP:OUTPUT NOT MATCHED-- IN= OUT=eth0 SRC=192.168.2.101 DST=156.56.247.193 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=821 DF PROTO=TCP SPT=42068 plus 1 DPT=31170 WINDOW=5840 RES=0x00 SYN URGP=0 if i were to take off the 80 or 143 in the -m multiport line, then i can't surf or read my IMAP mail. but when i put them back in, everything is fine. what am i missing that won't allow me to connect to an ftp server? i know that if i added 'NEW" to the -m state --state RELATED,ESTABLISHED -j ACCEPT then it works, but then every port will get through (out) and i don't even need the '-m multiport' line at all. i'd rather define which ports get out. am i being paranoid, and should just use the 'NEW' with RELATED,ESTABLISHED? is the -m multiport line going overboard? and why does every other port work except for ftp, if i don't have the 'NEW' included? i'll post more of my iptables rules if it's needed. cheers -- there's no place like ~ there's no place like ~ (remove eh to email.) List \| Previous \| Next



		Modifying winxp parbreastion sizes with Knoppix Linux groups from Newsgroups The #1 Usenet Provider on the Internet What Linux distro for a P3 computer 3534