I actually don't need the dnat as I have internet routable ip's in my dmz .... Thank you for the info. My question now is, will your rule take care of both passive and active ftp ? I would prefer to just use active .. but I know many clients would have their own issues .. grr .. stupid ftp .... Peter. ----- Original Message ----- From: "Rob Sterenborg" <rob@xxxxxxxxxxxxxxx> To: <netfilter@xxxxxxxxxxxxxxxxxxx> Sent: Thursday, May 27, 2004 1:43 PM Subject: RE: ftp > Sorry to post the same question again .... I am at a loss as > to what to put for rules for my ftp server (which is behind > the firewall). > I know they go on the forward chain .... > There are going to be people connecting to it with a username > / password and also anonymously from outside ... > > My main question I guess is should I set it up for passive or > active transfers .... > Or, does the RELATED option take care of those problems > Use ip_conntrack_ftp and ip_nat_ftp. Something like (with information from your previous post) : modprobe ip_conntrack_ftp modprobe ip_nat_ftp $IPT -P FORWARD DROP $IPT -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT $IPT -A FORWARD -i eth0 -o eth1 -d <ip_ftpsvr> -p tcp \ --dport 21 --j ACCEPT $IPT -t nat -A PREROUTING -i eth0 -p tcp --dport 21 \ -j DNAT <ip_ftpsvr> Gr, Rob
