Search This Blog

Saturday, September 01, 2007

Iptables and FTP problem

hello
I have problem in our clients's outside ftp access via debian.
My LAN users can't start data transfer to outside FTP servers, but they
can establish connection to port 21 on the outside ftp server.

I want to my LAN users use ftp clinets in ACTIVE mode.
my rules:

***nat
-A PREROUTING -i $LAN -s 192.168.1.0/26 -p tcp -m multiport --dport 21 -j
ACCEPT
-A POSTROUTING -s 192.168.1.0/26 -d 0/0 -o eth1 -j MASQUERADE

***filter
-A FORWARD -i $LAN -o $EXT -s 192.168.1.0/26 -p tcp --dport 21 -m state
--state NEW,ESTABLISHED,RELATED -j ACCEPT
-A FORWARD -i $EXT -o $LAN -p tcp --sport 21 -m state --state
ESTABLISHED,RELATED -j ACCEPT

*************
modprobe ip_conntrack_ftp , ip_conntrack, ip_nat_ftp

--
To UNSUBSCRIBE, email to debian-firewall-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

No comments: