I loaded the MASQUERADE module because I was trying everything I could think of to get this working... I will unload it and check that kernel module and see what happens.. As far as the rules I have been applying are concerned, did you see any improvements that can be made? I really am at a loss on this one. I took a look, and the scripts seem pretty close over all, any ideas would be appreciated. Again, thanks!
-Ryan
Message: 13 Date: Tue, 18 May 2004 22:04:56 +0200 From: Bernd Strebel <b.strebel@xxxxxxxxxx> Organization: digitec GmbH To: netfilter@xxxxxxxxxxxxxxxxxxx Subject: Re: FTP Passive mode Connection Loss - iptables rh9
Sometime ago we have similar troubles in a clustered ftp environment.
After replacing MASQUERADE with SNAT for the external interface, most of the problems go away.
Today we can use a simple
-t nat -A PREROUTING ... -d IP_EXT -j DNAT --to-destination IP_DMZ
-A FORWARD ... -d IP_DMZ -j ACCEPTto provide active/passive ftp via an transparent ftp-proxy located in the DMZ to the external world.
The ftp-proxy use active ftp to connect through an internal firewall to the final destination.
As far as I can see, your rules are ok. But why do you load the MASQUERADE module, if you don't use it? I'm not an expert, but NAT and connection tracking must be a tricky thing for ugly protocols like ftp.
Have you checked ip/port from the PASV command at the client side? Do you get the right (external) address?
