IPTABLES

FTP сервер или клиент? Если клиент - стандартно открывается ПРОИЗВОЛЬНЫЙ порт выше 1024. Надо переключать клиента в пассивный режим.

-F OUTPUT
-P OUTPUT DROP
-A OUTPUT -p tcp --dport 20 -j ACCEPT
-A OUTPUT -p tcp --dport 21 -j ACCEPT
-A OUTPUT -p udp --dport 53 -j ACCEPT # это если не хочешь по ip лазать :)

-F INPUT
-P INPUT DROP
-A INPUT -p tcp -m state --state ESTABLISHED, RELATED -j ACCEPT
-A INPUT -p udp --sport 53 -j ACCEPT # опять-же для dns


если че забыл - поправьте :)

re: glush

Сделал все как написано.
Непашет, ftp клиент виснет и память сжерается со скоростью ~500 kB/c !!!

А может так?
iptables -A POSTROUTING -t nat -p tcp -o eth0 -j SNAT --to-source $INET-IP

glush:/home/glush# iptables -L -v -n
Chain INPUT (policy DROP 30 packets, 5632 bytes)
pkts bytes target prot opt in out source destination
10 1655 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
5 302 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spt:53

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination

Chain OUTPUT (policy DROP 44 packets, 6814 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:20
14 617 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:21
5 286 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:53
glush:/home/glush# ftp ftp.chg.ru
Connected to ftp.chg.ru.
220-
220- Dear user from x.x.x.x
220-
220- Welcome to the ChgNet FTP server
220-
220-
220- All transfers are logged with your host name and email address.
220- If you don't like this policy, disconnect now!
220-
220- Please contact `ftp@chg.ru' with any technical problems
220- you may have accessing this archive.
220-
220- Local Chernogolovka time is Thu Feb 21 13:53:57 2002.
220- You are currently user 166 out of a maximum 180 users in your class.
220-
220 ChgNet FTP server ready.
Name (ftp.chg.ru:glush): anonymous
331 Guest login ok, send your complete e-mail address as password.
Password:
230- Welcome to FTP.Chg.RU - the biggest Russian ftp-archive
230-
230- This computer is PII/400 MHz with 384 MB of RAM and
230- 700 GB of total disk space working under FreeBSD-4.2
230- Total size of FTP archive is about 600 GB
230-
230- NOTE:
230- Our archive is also accessible via WWW: http://ftp.chg.ru/
230- File search is available at http://ftpsearch.chg.ru:8000/ftpsearch
230-
230 Guest login ok, access restrictions apply.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> exit
221-You have transferred 0 bytes in 0 files.
221-Total traffic for this session was 1091 bytes in 0 transfers.
221-Thank you for using the FTP service on ftp.chg.ru.
221 Goodbye.
glush:/home/glush#


any questions?

забыл порт указать в конце
--dport 20:21

OK!
Всем сеньку, все пашет как надо.

И еше вопросик: что делает ента хрень
 -A INPUT -p tcp -m state --state ESTABLISHED, RELATED -j ACCEPT ?

state
This module, when combined with connection tracking, allows access to the connection tracking state for this
packet.

--state state
Where state is a comma separated list of the connection states to match. Possible states are INVALID
meaning that the packet is associated with no known connection, ESTABLISHED meaning that the packet
is associated with a connection which has seen packets in both directions, NEW meaning that the
packet has started a new connection, or otherwise associated with a connection which has not seen
packets in both directions, and RELATED meaning that the packet is starting a new connection, but is
associated with an existing connection, such as an FTP data transfer, or an ICMP error.

то-есть: в нашем случае пакеты будут приниматься только от соединений установленных твоей машиной

Все понял, спасибо.

А как заставить iptables выводить по команде iptables -L еще и название интерфейса, тот што -i ... или -о ... ?

-v
млин, когда будем маны читать?