Hi, I noticed a strange behaviour on my NAT-Box:
My FORWARD-chain used to look like this: iptables -P FORWARD DROP #TCPMSS iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu #Forward new and established out and established and related in. iptables -A FORWARD -o ppp0 -s 192.168.1.0/24 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A FORWARD -i ppp0 -d 192.168.1.0/24 -m state --state ESTABLISHED,RELATED -j ACCEPT It worked well, untill I decided to be nice and added: #reject the rest (be nice) iptables -A FORWARD -j REJECT That broke passive ftp. I fixed it by changing the broken state rules to the recommended ones from the faq: iptables -A FORWARD -o ppp0 -s 192.168.1.0/24 -m state --state NEW -j ACCEPT iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT What I don't understand is, why it worked in the first place and why it was broken by the REJECT-Rule. The DROP-policy should basically do the same. If the passive ftp-data-connection is in the RELATED-state only and not in the NEW-state, than it should have been dropped by the DROP-policy of the FORWARD-chain. regards, Rolf System: Custom-kernel: 2.4.18 iptables v1.2.6a Debian Woody I will supply additional information of my setup on request, if necessary.
