Hi Ernesto,
Sorry, it was a typo, _nat is defined as "iptables -t nat -A
POSTROUTING" so thats not the problem.
I was not clear enough, I don't have an ftp server, I just want to
access internet ftp servers from my internal network which is
protected by the firewall. The firewall itself don't have any other
running service but iptables.
sorry, I probably didn't read your mail well enough.
You need some other rule for the data connection then, I assume it
should look like this, but it's a long time ago I needed that for the
last time:
Active mode (server initiates a client connection)
$_fwd -i $INET_IF -o $INT_IF -p tcp --sport 20 --dport ! 0:1023 -m
state --state NEW,ESTABLISHED,RELATED -j ACCEPT
(which is probably what you've tried, but you used port 21 instead of
20 whicht is the ftp-data port)
Passive mode (client initiates connection
$_fwd -i $INT_IF -o $INET_IF -p tcp --sport ! 0:1023 --dport 20 -m
state --state NEW,ESTABLISHED,RELATED -j ACCEPT
(For details about how the connection process for FTP works, just
google for "ftp active passive mode", for example this looked quite
clear to me: http://slacksite.com/other/ftp.html)
I assume the ftp conntrack will automatically handle the nat, but I'm
not 100% sure, so perhaps try to monitor that using tcpdump or wait for
another answer from the list ;-)
Hope it works,
-- Baltasar
Baltasar Cevc
_____ former 03 gmbh
_____ infanteriestraße 19 haus 6 eg
_____ D-80797 muenchen
_____ http://www.former03.de
