Em 06/01/2019 15:37, Stefanie Leisestreichler escreveu:
*filter
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A forward-handling -m conntrack --ctstate NEW -i br0 -o ens3 -s
192.168.177.0/24 -j ACCEPT # Is there a RELATED missing? -A
forward-handling -m conntrack --ctstate NEW -i ens3 -o br0 -d
192.168.177.22/32 -p tcp -m multiport --dports 20,21 -j ACCEPT
*nat
-A PREROUTING -i ens3 -p tcp --dport 20 -j DNAT --to-destination
192.168.177.22:20 -A PREROUTING -i ens3 -p tcp --dport 21 -j DNAT
--to-destination 192.168.177.22:21
In addition to what Adel said, unless "forward-handling" is a
user-defined chain, the correct one is "FORWARD". You also should add a
FORWARD rule allowing RELATED connections.
A while ago I had some problems with FTP NAT and found out that even
following the recommended pratices for enabling FTP helpers, it wasn't
working at all after kernel version 4.7. My ruleset (unchanged) only
started working again in 4.13 for some reason.
See my posts here:
https://www.spinics.net/lists/netfilter/msg57478.html
https://serverfault.com/questions/849159/ftp-nat-stopped-working-after-kernel-upgrade/880998#880998
