# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
-A RH-Firewall-1-INPUT -p 51 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW,ESTABLISHED,RELATED -m tcp -p tcp --dport 21 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW,ESTABLISHED,RELATED -m tcp -p tcp --dport 20 -j ACCEPT-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT

-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT


the rules not red is the orginal rules only accept 22 ssh . and i want it allow ftp server can access by ie or ftp client. how should the rules be ?
the red rules is I added ,but it doesn't work .

thanks for help .

-A RH-Firewall-1-INPUT -p tcp --dport 21 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp --dport 20 -j ACCEPT

also
-A RH-Firewall-1-INPUT -j LOG (I think thats the syntax)

and look at syslog to see whats happening when you ftp

also you may need some --sport 20,21 rules

b

Which distribution do you use?

I'm using centOS 5.1

thanks

Do you need to /sbin/modprobe ip_conntrack_ftp ?

Due to the nature of the FTP protocol yes you need connection tracking so the module needs to be loaded to make it permanent add the module to

/etc/sysconfig/iptables-config