On Wednesday 11 December 2002 03:05 am, Joel Newkirk wrote: > This wouldn't work at all. INPUT shouldn't enter into it at all, > unless the DNAT fails, and OUTPUT only if a packet is required to > leave the firewall machine itself, IE if that is where the connection > is attempted from or to. Also, for the FTP conntrack helper to work > you HAVE to allow state RELATED. FTP will open a control connection > to port 21, then a request for data will (in passive) cause the server > to attempt to open a connection BACK to the client's port 20, IE. > This is RELATED, in a nutshell. The FTP helper is required because > the control packets will embed IP and port data inside the packet > itself, rather than its header, and without the helper netfilter will > only handle the header. Sorry, I got this slightly wrong. The server will open a connection back to the client FROM its own port 20, to a port specified in the request from the client. j
