I already have an ftpd running on port 20/21/Unpriv on a linuxbox1 connected directly to the internet..

However I want to port forward 1574 to another ftpd which is serving ftp on port 1574 within an internal LAN on box2.

If the default ftp ports are 20/21 what ports do i forward instead of 20/21.. I know i have to forward 1574 but what other port do i need to forward to make up for port 20?? and the unpriv ports??

this is my attempt so far..
#$IPT -t nat -A PREROUTING -p tcp --sport $UNPRIVPORTS --dport 1574 -i $IEXT -j DNAT --to 10.0.0.2
#$IPT -A FORWARD -p tcp -i $IEXT --sport $UNPRIVPORTS -o $IINT -d 10.0.0.2 --dport 1574 -j ACCEPT
#$IPT -t nat -A PREROUTING -p tcp --sport $UNPRIVPORTS --dport 1573 -i $IEXT -j DNAT --to 10.0.0.2
#$IPT -A FORWARD -p tcp -i $IEXT --sport $UNPRIVPORTS -o $IINT -d 10.0.0.2 --dport 1573 -j ACCEPT
#$IPT -t nat -A PREROUTING -p tcp --sport $UNPRIVPORTS --dport $UNPRIVPORTS -i $IEXT -j DNAT --to 10.0.0.2
#$IPT -A FORWARD -p tcp -i $IEXT --sport $UNPRIVPORTS -o $IINT -d 10.0.0.2 --dport $UNPRIVPORTS -j ACCEPT

problem with this is..
won't this cut out the INPUT for unprivports, hence rendering the ftpd on linuxbox1 inaccessable?

Please help.

IIRC the ftp data port always is one below the control connection, like you ve shown in your example. This example (as far as I can see) won't cut out $UNPRIVPORTS as it's first-match-wins in netfilter/iptables, and this one only matches $UNPRIVPORTS ACCEPT's for this address.

/* Kinda IIRC, cuz Raz left so we can't ask him, I still need to convert to netfilter/iptables... */

so if i used 800 as control connection then the data transfer port will be 799.

as for unpriv ports, even if i FORWARD unpriv ports, it won't interfere with the INPUT unpriv ports because it is specifically filtering packets that has its destination to 10.0.0.2..

am i correct?

I think i'm beginning to understand..

AFAIK, yes.

as for unpriv ports, even if i FORWARD unpriv ports, it won't interfere with the INPUT unpriv ports because it is specifically filtering packets that has its destination to 10.0.0.2[/QUOTE]
Guesso, to me it kinda reads like: "lemme FORWARD from TCP WHERE source is UNPRIVPORTS AND destination is 10.0.0.2 1574" :-]
If unsure I always tack on logging rules for *everything* dropped and accepted, so you'll see soon enough what fails where.