allowing ftp out from a protected LAN

[Vasiliy Boulytchev]

Ladies and Gents,     Would you please point me in the correct direction?  Is this because I need passive ftp connections out?       What would be the syntax?  I'm so used to ipchains..............       Anyone trying to ftp out from the LAN is getting this:   THANK YOU   ftp> cd /pub 250 CWD command successful. ftp> dir 425 Can't build data connection: Connection refused. ftp> cd sentinel 250 CWD command successful. ftp> dir 425 Can't build data connection: Connection refused. ftp> here are my iptables rules:     # Turn port forwarding on for spoof in /proc/sys/net/ipv4/conf/*/rp_filter do         echo 0 > $spoof done echo 1 > /proc/sys/net/ipv4/ip_forward /sbin/modprobe iptable_nat   INTERNALIF="eth0" INTERNALNET="10.0.0.0/24" INTERNALBCAST="10.0.0.255" EXTERNALIF="eth1" MYADDR="wanip" BIRCH="10.0.0.3" PINE="10.0.0.2" FIR="10.0.0.1" IPTABLES="/sbin/iptables"   #Allow dynamic ip echo 1 > /proc/sys/net/ipv4/ip_dynaddr   # Allow all connections on the internal interface# iptables  -A INPUT -i lo -j ACCEPT   #Kill connections to the local interface from the outside world. iptables  -A INPUT -d 127.0.0.0/8 -j REJECT   #Allow unlimited traffic from internal network using legit addresses iptables  -A INPUT -i $INTERNALIF -s $INTERNALNET -j ACCEPT     #Kill anything from outside claiming to be from internal network iptables  -A INPUT -i $EXTERNALIF -s $INTERNALNET -j REJECT   ##ICMP #ping don't forward pings going inside iptables  -A FORWARD -p icmp --icmp-type echo-request -o $INTERNALIF -j REJECT #ping flood protection $IPTABLES -A INPUT -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT $IPTABLES -A INPUT -p icmp --icmp-type echo-request -j DROP #Deny icmp to broadcast address $IPTABLES -A INPUT -p icmp -d $INTERNALBCAST -j DROP   #Allow all other icmp $IPTABLES -A INPUT -p icmp -j ACCEPT   ##Allow established connections #Unlike ipchains, we don't have to go through the business of allowing #a local port range- just allow all connections already established.   $IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT   #Note that unlike ipchains, the following must be enabled even with masquerading #Don't forward SMB related traffic $IPTABLES -A FORWARD -o $EXTERNALIF -p tcp --dport 137 -j REJECT $IPTABLES -A FORWARD -o $EXTERNALIF -p tcp --dport 138 -j REJECT $IPTABLES -A FORWARD -o $EXTERNALIF -p tcp --dport 139 -j REJECT $IPTABLES -A FORWARD -o $EXTERNALIF -p udp --dport 137 -j REJECT $IPTABLES -A FORWARD -o $EXTERNALIF -p udp --dport 138 -j REJECT $IPTABLES -A FORWARD -o $EXTERNALIF -p udp --dport 139 -j REJECT $IPTABLES -A INPUT -i $EXTERNALIF -p udp --dport 137 -j REJECT #Allow ALL other forwarding going out $IPTABLES -A FORWARD -o $EXTERNALIF -i $INTERNALIF -j ACCEPT #Allow replies coming in $IPTABLES -A FORWARD -i $EXTERNALIF -m state --state ESTABLISHED,RELATED -j ACCEPT   $IPTABLES -A INPUT -p tcp --dport 20 -j ACCEPT $IPTABLES -A INPUT -p tcp --dport 21 -j ACCEPT $IPTABLES -A INPUT -p udp  --dport 20 -j ACCEPT #$IPTABLES -A INPUT -p udp  --dport 21 -j ACCEPT $IPTABLES -A INPUT -p tcp --dport 22 -j ACCEPT $IPTABLES -A INPUT -p tcp --dport 110 -j ACCEPT   $IPTABLES -A INPUT -p tcp  --dport 20 -j ACCEPT $IPTABLES -A INPUT -p tcp  --dport 21 -j ACCEPT   #FIR @coinfotech (exchange) email $IPTABLES -A PREROUTING -t nat -i $EXTERNALIF -p tcp -d $MYADDR --dport 25 -j DNAT --to $FIR:25 $IPTABLES -A FORWARD -i $EXTERNALIF -p tcp -d $FIR --dport 25 -j ACCEPT   #PINE DNAT 1494,1450,3389 $IPTABLES -A PREROUTING -t nat -i $EXTERNALIF -p tcp -d $MYADDR --dport 1494 -j DNAT --to $PINE:1494 $IPTABLES -A FORWARD -i $EXTERNALIF -p tcp -d $PINE --dport 1494 -j ACCEPT   $IPTABLES -A PREROUTING -t nat -i $EXTERNALIF -p tcp -d $MYADDR --dport 1450 -j DNAT --to $PINE:1450 $IPTABLES -A FORWARD -i $EXTERNALIF -p tcp -d $PINE --dport 1450 -j ACCEPT   $IPTABLES -A PREROUTING -t nat -i $EXTERNALIF -p tcp -d $MYADDR --dport 3389 -j DNAT --to $PINE:3389 $IPTABLES -A FORWARD -i $EXTERNALIF -p tcp -d $PINE --dport 3389 -j ACCEPT   # Masquerade everything out eth0 #iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE iptables -A FORWARD -s 10.0.0.0/24 -j ACCEPT iptables -A FORWARD -d 10.0.0.0/24 -j ACCEPT iptables -A INPUT -m limit --limit 5/minute -j LOG --log-level 7 --log-prefix "IPTABLES"   Vasiliy Boulytchev Colorado Information Technologies Inc.