> -----Original Message----- > From: netfilter-bounces@xxxxxxxxxxxxxxxxxxx > [mailto:netfilter-bounces@xxxxxxxxxxxxxxxxxxx] On Behalf Of > Richard Simon > Sent: Friday, March 03, 2006 10:48 AM > To: ludi; netfilter@xxxxxxxxxxxxxxxxxxx > Subject: RE: Connection not recognized as RELATED > > I dont think you looked at my configuration included in the message. > I have those modules loaded (as you can see from my lsmod > output) and I have ftp working on port 21 (which you can > infer from my DNAT rule). > I'm just not getting the conntrack to recognize the SYN for > the passive connection to be RELATED. > > anyone else have a guess? > > Richard Simon > Giant Killer Robots > 361 Brannan St. > San Francisco, CA 94107 > (415) 777-2477 > I would start by filtering in the filter table. These rules -A PREROUTING -d 77.77.77.4 -i eth2 -p tcp -m tcp --sport 1024:65535 --dport 21 -j DNAT --to-destination 192.168.4.101:21 -A FORWARD -d 192.168.4.101 -i eth2 -o eth0 -p tcp -m tcp --sport 1024:65535 --dport 21 -m state --state NEW -j ACCEPT should be -A PREROUTING -d 77.77.77.4 -i eth2 -j DNAT --to-destination 192.168.4.101 -A FORWARD -p tcp -d 192.168.4.101 -i eth2 -o eth0 -p tcp -m tcp --dport 21 -m state --state NEW -j ACCEPT There is no need to filter twice and conntrack makes unprivileged source port filtering unnecessary. Also, filtering in nat is a bad idea, for reasons that are explained somewhere in the archive but if memory serves only the first packet in a connection which is matched by a nat rule actually passes through the nat table. Hope that helps. If not, you can always open up the destination ports for the passive range on your FTP server. Also, if you use FTPS (over SSL) conntrack can't see the PASV port request and won't have a clue what to do, so you have to open those ports anyway. Derick Anderson
