I appreciate your work on the script, but I did not get my original script
back, just your notes on changes made. I can try to piece it together, but
was hoping for the modified script.


> I have looked at your script and am sending it back with a couple of
> changes. A couple are minor issues that have nothing to do with the ftp
> issue. Others I think will address that problem. I marked the sections
> I changed with '# *****'
>
> You had:
> LAN_BCAST_ADRESS="192.168.255.255"
> Sould be:
> LAN_BCAST_ADRESS="192.168.0.255"
>
> You had:
> $IPTABLES -A bad_tcp_packets -i $INET_IFACE -s 192.168.0.0/16 -j DROP
> Should be:
> $IPTABLES -A bad_tcp_packets -i $INET_IFACE -s 192.168.0.0/24 -j DROP
>
> (The above two changes are because you specified your IP address as
> 192.168.0.1 and your LAN as 192.168.0.0/24.)
>
> Finally, the ftp issue:
>
> FTP has two modes: active and passive. Active mode requires that you
> not only allow ports 20 and 21 going out (which you do), but also allow
> ports 20 and 21 coming in.
>
> Passive mode requires port 21 coming in, and a non-privileged port
> (>1024) coming in.
>
> I added these lines to your script (but haven't tested - that's an
> exercise for the reader):
>
> # support active ftp
> $IPTABLES -A tcp_packets -p TCP --sport 20:21 -j allowed
> # support passive ftp
> $IPTABLES -A tcp_packets -p TCP --sport 1024: --dport 1024: -j allowed
>
> --
> _______________________________________________
> Twin Cities Linux Users Group Mailing List - Minneapolis/St. Paul,
> Minnesota http://www.mn-linux.org
> tclug-list at mn-linux.org
> https://mailman.mn-linux.org/mailman/listinfo/tclug-list


-- 
Raymond Norton
Little Crow Telemedia Network
2 Centry Av
Hutchinson, MN.
320-234-0270