thanks phil But i think the port 20 is in RELATED state and no connection need to be established. module ip_conntrack_ftp must correct this problem. And i also read previous posts in this mailing-list, but can't solve problem. My debian server wants connect to other FTP servers (OUTSIDE) only in PASSIVE mode only and only !!!!!!!! and while(when) i forward client's sport 1024:65535 to server's dport 1024:65535 the problem was solved, but i can't open these port and forwrad them. i want only Active mode(Standard mode)
My NAT(PREROUTING) and Filter table default Policy is DROP. thanx On Sat, September 1, 2007 19:42, Phil Dyer wrote: > you need to allow port 20 for the data connection. > > phil > > > On 9/1/2007 4:52 AM, Mahdi Rahimi wrote: > >> hello I have problem in our clients's outside ftp access via debian. >> My LAN users can't start data transfer to outside FTP servers, but they >> can establish connection to port 21 on the outside ftp server. >> >> I want to my LAN users use ftp clinets in ACTIVE mode. >> my rules: >> >> ***nat >> -A PREROUTING -i $LAN -s 192.168.1.0/26 -p tcp -m multiport --dport 21 >> -j >> ACCEPT >> -A POSTROUTING -s 192.168.1.0/26 -d 0/0 -o eth1 -j MASQUERADE >> >> >> ***filter >> -A FORWARD -i $LAN -o $EXT -s 192.168.1.0/26 -p tcp --dport 21 -m state >> --state NEW,ESTABLISHED,RELATED -j ACCEPT >> -A FORWARD -i $EXT -o $LAN -p tcp --sport 21 -m state --state >> ESTABLISHED,RELATED -j ACCEPT >> >> >> ************* >> modprobe ip_conntrack_ftp , ip_conntrack, ip_nat_ftp >> >> >> >> >> > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact > [EMAIL PROTECTED] > > ------------------------- rahimi{at}eaedu.net rahimi_m{at}cse.shirazu.ac.ir -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]