Yes - I see what you are saying now. And indeed, if your FORWARD policy is set to ACCEPT, your packets should be properly DNATTED with the rules you list. And you are correct, the FTPD application in use would not be a factor at all here. You also seem to have all the needed modules you need loaded as well. So, how do we fix this? First a question on your SNAT rule: iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to 213.88.181.68 Is 213.88.181.68 the external IP? If so, is it the same as the variable $EXP_IP is set to, and if so why not use $EXP_IP instead? I would also add a -s address or network to the rule to assure only the packets you want SNATTED are SNATTED. I doubt if this is causing your problem, but these things need to get cleaned up to help troubleshoot the problem. Next - run an lsmod after your ruleset is loaded to confirm all the needed modules have loaded. Also - I notice you are flushing your NAT table after you have set your default policies: iptables -t nat -F. I would move this up and flush before the policies are set. Try all this and we shall go from there. -----Original Message----- From: Gustav Petersson [mailto:gustav.petersson@xxxxxxxxxxxxxx] Sent: Sunday, February 29, 2004 11:15 AM To: markee@xxxxxxxxxxxxxxx Cc: netfilter@xxxxxxxxxxxxxxxxxxx Subject: Re: how do i forward ftp from my firewall to an internal server? Thanks for your reply Mark. I should have explained better. I know that ftp uses two ports with a different setup for active and passive mode. That is not the problem. Right now I am only DNATing the control port and my INPUT,OUTPUT and FORWARD chains have a default policy of ACCEPT. The rules I posted are the _only_ rules I have for my firewall. The problem is that when I telnet to my $EXTIP port 21 I should get a welcome message and be able to send some commands but from logging all traffic to and from my internal ftp server I can see the following traffic: Client->FTP: SYN FTP->Client: SYN ACK Client->FTP: ACK FTP->Client: ACK PSH FTP->Client: ACK PSH FTP->Client: ACK PSH FTP->Client: ACK PSH Client->FTP: RST after this short exchange the connection is terminated. If i telnet to $EXTIP port 80 and do a 'GET /' everything works fine. I have tried proftpd, in.ftpd, wu-ftpd and they all give the same result so it's not a problem with the ftp server software. Gustav Petersson Mark E. Donaldson wrote: >The FTP protocol works completely differently than http, particularly >in the way connections are negotiated and accepted. You must also >account for both active and passive modes. I'm assuming the rules you >have here are for new connections to your FTP server? What are your >FTP rules for the FORWARD chain? > >-----Original Message----- >From: netfilter-admin@xxxxxxxxxxxxxxxxxxx >[mailto:netfilter-admin@xxxxxxxxxxxxxxxxxxx] On Behalf Of Gustav >Petersson >Sent: Saturday, February 28, 2004 12:28 AM >To: netfilter@xxxxxxxxxxxxxxxxxxx >Subject: how do i forward ftp from my firewall to an internal server? > >Like the subject line says.. how do I do it? > >I have port http traffic forwarded to the same server but when i use >the same rule with only the port(s) changed for ftp traffic my ftp >server opens the connection but immediately closes it again. I have >tried running both the standard in.ftpd and proftpd. Any help would be greatly appreciated. > >Gustav Petersson > >I am running debian 3.0 with kernel 2.4.24 and I have the following >modules >loaded: > >ipt_LOG >ipt_state >iptable_filter >ip_nat_ftp >ip_conntrack_ftp >iptable_nat >ip_conntrack >ip_tables > >Here is my firewall config: >#!/bin/sh > >EXT_IP=1.2.3.4 >INT_IP=192.168.x.x > >modprobe iptable_nat >modprobe ip_conntrack_ftp >modprobe ip_nat_ftp > >echo "1" > /proc/sys/net/ipv4/ip_forward > >iptables -P INPUT ACCEPT >iptables -F INPUT >iptables -P OUTPUT ACCEPT >iptables -F OUTPUT >iptables -P FORWARD ACCEPT >iptables -F FORWARD >iptables -t nat -F > ># NAT >iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to 213.88.181.68 > > > > ># Forward port 80 to internal server >iptables -A PREROUTING -t nat -p tcp -d $EXT_IP --dport 80 \ > -j DNAT --to $INT_IP:80 > ># Forward ports 20 and 21 to internal server iptables -A PREROUTING -t >nat -p tcp -d $EXT_IP --dport 20 \ > -j DNAT --to $INT_IP:20 > > > >iptables -A PREROUTING -t nat -p tcp -d $EXT_IP --dport 21 \ > -j DNAT --to $INT_IP:21 > > > > > >