iptable setup

[cbrenchley]

Hope simeone can hel me on this. I have searched the forum and have not found any info on this exact subjuct. I need to set up optables for ftp to except the local traffic only and one remote op address. This is what I have in my table now.

:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [8485:2850257]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp -m icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p esp -j ACCEPT
-A RH-Firewall-1-INPUT -p ah -j ACCEPT
-A RH-Firewall-1-INPUT -d 224.0.0.251 -p udp -m udp --dport 5353 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 20 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -s 70.xx.xx.x/24 --dport 21 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -s 10.1.10.0/24 --dport 21 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT
# Completed on Tue Jul 24 12:43:45 2007

These are the two lines that I'm working with
A RH-Firewall-1-INPUT -p tcp -s 70.xx.xx.x/24 --dport 21 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -s 10.1.10.0/24 --dport 21 -j ACCEPT


This code does not work, Do I need to place both addresses on the same line?
Seems that it reads the first line and skips the second.
Please if anyone has an Idea, I would like to here it.

[William Haller]

Check http://slacksite.com/other/ftp.html for a description of active and passive FTP. For an active connection, the server is connecting from 20 to a port on the client. You have it set up the other away around. If you want an incoming connection, use passive FTP. It's a bit easier to firewall.

http://www.ncftp.com/ncftpd/doc/misc...firewalls.html is also a good description of all the problems each mode can have with respect to firewalls.