The FTP connection tracker in the linux kernel can take care of active FTP sessions. -----Original Message----- From: netfilter-bounces@xxxxxxxxxxxxxxxxxxx [mailto:netfilter-bounces@xxxxxxxxxxxxxxxxxxx] On Behalf Of Robert Becskei Sent: Tuesday, May 17, 2005 12:27 PM To: netfilter@xxxxxxxxxxxxxxxxxxx Subject: Active and Passive FTP Hello everyone , my clients access the internet like this client --- proxy server --- eth0 firewall eth1 ----internet in squid.conf I told squid to always direct allow ftp... in iptables I've did the following modifications... iptables -A INPUT -i eth1 -p tcp --sport 21 -m state --state ESTABLISHED -j ACCEPT iptables -A INPUT -i eth1 -p tcp --sport 20 -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A INPUT -i eth1 -p tcp --sport 1024:65535 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT iptables -A OUTPUT -o eth1 -p tcp --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A OUTPUT -o eth1 -p tcp --dport 20 -m state --state ESTABLISHED -j ACCEPT iptables -A OUTPUT -o eth1 -p tcp --sport 1024:65535 --dport 1024:65535 -m state ESTABLISHED,RELATED -j ACCEPT passive ftp works... but I cannot get active to work I always get a 200: SWITCHING TO ASCII MODE 500: ILLEGAL PORT COMMAND 500: Unknown COMMAND what did I mess up ? is there a way to get active working as well...are the above rules correct ? eth1 is my outside interface...the proxy server connects to eth0 directly Sincerely Robert B
