On Thursday 19 December 2002 02:33 am, Durgaprasada Kalluraya wrote: > ftp> ls > 200 PORT command successful. > 425 Can't build data connection: Connection timed out. > ftp> bye > > But if I try the same thing from outside using a dialup connection all > works fine for me!!!! Is your dialup still going through the firewall, or is it direct to the server? Is it passive or active ftp? Regardless of these, I suspect that the problem is that you need to add: modprobe ip_conntrack_ftp so that the "RELATED" state recognizes and NAT functions handle both passive and active FTP. The data connection is a separate pair of ports, negotiated by the server and client but embedded in a packet instead of its header during negotiation, so netfilter won't normally deal with them. The helper ip_conntrack_ftp exists specifically for this purpose, since it knows to examine the actual packet data of FTP conrtol transactions looking for this and dealing with it correctly. > $IPTABLES -A FORWARD -i $LAN_IFACE -j ACCEPT > $IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT > $IPTABLES -A FORWARD -i $INET_IFACE -o $DMZ_IFACE -m state --state > ESTABLISHED,RELATED -j > ACCEPT This is redundant and will never match a packet, since you accept EST/REL for ANY interface, ip, and port in the rule before it. > $IPTABLES -A FORWARD -p TCP -i $INET_IFACE -o $DMZ_IFACE -d > $DMZ_FTP_IP --dport ftp -j allowed > $IPTABLES -A FORWARD -p TCP -i $INET_IFACE -o $DMZ_IFACE -d > $DMZ_FTP_IP --dport ftp-data -j > allowed I presume you have a user-defined chain named "allowed"... j
