I appreciate your work on the script, but I did not get my original script back, just your notes on changes made. I can try to piece it together, but was hoping for the modified script. > I have looked at your script and am sending it back with a couple of > changes. A couple are minor issues that have nothing to do with the ftp > issue. Others I think will address that problem. I marked the sections > I changed with '# *****' > > You had: > LAN_BCAST_ADRESS="192.168.255.255" > Sould be: > LAN_BCAST_ADRESS="192.168.0.255" > > You had: > $IPTABLES -A bad_tcp_packets -i $INET_IFACE -s 192.168.0.0/16 -j DROP > Should be: > $IPTABLES -A bad_tcp_packets -i $INET_IFACE -s 192.168.0.0/24 -j DROP > > (The above two changes are because you specified your IP address as > 192.168.0.1 and your LAN as 192.168.0.0/24.) > > Finally, the ftp issue: > > FTP has two modes: active and passive. Active mode requires that you > not only allow ports 20 and 21 going out (which you do), but also allow > ports 20 and 21 coming in. > > Passive mode requires port 21 coming in, and a non-privileged port > (>1024) coming in. > > I added these lines to your script (but haven't tested - that's an > exercise for the reader): > > # support active ftp > $IPTABLES -A tcp_packets -p TCP --sport 20:21 -j allowed > # support passive ftp > $IPTABLES -A tcp_packets -p TCP --sport 1024: --dport 1024: -j allowed > > -- > _______________________________________________ > Twin Cities Linux Users Group Mailing List - Minneapolis/St. Paul, > Minnesota http://www.mn-linux.org > tclug-list at mn-linux.org > https://mailman.mn-linux.org/mailman/listinfo/tclug-list -- Raymond Norton Little Crow Telemedia Network 2 Centry Av Hutchinson, MN. 320-234-0270