https://community.hpe.com/t5/operating-system-linux/firewall-and-ftp/m-p/3225347#M10801 also open 21 and 20 udp ports<BR />you need to have in your list the open ports first and the deny rule should come after it... Mon, 22 Mar 2004 08:50:24 GMT Alexander Chuzhoy 2004-03-22T08:50:24Z https://community.hpe.com/t5/operating-system-linux/firewall-and-ftp/m-p/3225346#M10800 I want to make ftp from one of the pc´s on my net, but as i have configured a firewall in linux, i can´t. In the firewall ports 20 and 21 are open, but i can only set a ftp conection but not get data. With iptables line must i put in the linux firewall to permit active ftp Mon, 22 Mar 2004 07:02:42 GMT https://community.hpe.com/t5/operating-system-linux/firewall-and-ftp/m-p/3225346#M10800 Ignacio Rodríguez Arrós 2004-03-22T07:02:42Z https://community.hpe.com/t5/operating-system-linux/firewall-and-ftp/m-p/3225347#M10801 also open 21 and 20 udp ports<BR />you need to have in your list the open ports first and the deny rule should come after it... Mon, 22 Mar 2004 08:50:24 GMT https://community.hpe.com/t5/operating-system-linux/firewall-and-ftp/m-p/3225347#M10801 Alexander Chuzhoy 2004-03-22T08:50:24Z https://community.hpe.com/t5/operating-system-linux/firewall-and-ftp/m-p/3225348#M10802 -A INPUT -i eth0 -p tcp -m tcp -- dport 21 -j okay<BR /><BR />-A INPUT -i eth0 -p tcp -m tcp -- dport 20 -j okay<BR /><BR />in /etc/sydconfig/iptables<BR /><BR />if the firewall is not on eth0 adjust that.<BR /><BR />save<BR /><BR />service iptables restart<BR /><BR />SEP Mon, 22 Mar 2004 13:18:19 GMT https://community.hpe.com/t5/operating-system-linux/firewall-and-ftp/m-p/3225348#M10802 Steven E. Protter 2004-03-22T13:18:19Z https://community.hpe.com/t5/operating-system-linux/firewall-and-ftp/m-p/3225349#M10803 You've not detailed what sort of firewalling you're doing, whether you're NAT/Masquerading your local connections via a single 'net connection etc..<BR /><BR />My guess is that you are.<BR /><BR />You'll also need to insert a few new modules:<BR /><BR />modprobe ip_nat_ftp ip_conntrack_ftp<BR /><BR />With those two, all should be happy. Tue, 23 Mar 2004 01:08:53 GMT https://community.hpe.com/t5/operating-system-linux/firewall-and-ftp/m-p/3225349#M10803 Stuart Browne 2004-03-23T01:08:53Z https://community.hpe.com/t5/operating-system-linux/firewall-and-ftp/m-p/3225350#M10804 Actually I think it would be beter to use:<BR /><BR /> iptables -A INPUT -p tcp --dport 21 -j ACCEPT<BR /> iptables -A INPUT -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT<BR /><BR />if still no go, include some lines for the OUTPUT chain too:<BR /> iptables -A OUTPUT -p tcp --sport 21 -j ACCEPT<BR /> iptables -A OUTPUT -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT<BR /><BR />this would use stateful filtering and take care of both active and passive FTP.<BR />Of course, these are just raw rules, you might wish to adjust them depending on your setup, to only allow traffic from certain machines, through certain interfaces, and so on.<BR /> Tue, 23 Mar 2004 01:10:27 GMT https://community.hpe.com/t5/operating-system-linux/firewall-and-ftp/m-p/3225350#M10804 Manuel Wolfshant 2004-03-23T01:10:27Z https://community.hpe.com/t5/operating-system-linux/firewall-and-ftp/m-p/3225351#M10805 Thanks to all, the problem was that ip_nat_ftp wasn´t load, the 10 points to Stuart Brown Tue, 23 Mar 2004 04:08:00 GMT https://community.hpe.com/t5/operating-system-linux/firewall-and-ftp/m-p/3225351#M10805 Ignacio Rodríguez Arrós 2004-03-23T04:08:00Z