Hi,

I'm experiencing problems with ftp using iptables
From the machine where iptables lives it seems to work when I try to connect to a ftp server on the internet.

But from my local lan it doesn't, from a windows command it gets stuck on when i do a ls or dir

port command successful.considering using pasv
here comes the directory listing

My rules are basic

# All connections go out
iptables -A FORWARD -s $local_net -d $internet -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A FORWARD -s $internet -d $local_net -m state --state ESTABLISHED -j ACCEPT

# Active mode - port 20
iptables -A FORWARD -p tcp -s $local_net --sport 1024:65535 -d $internet --dport 20 -m state --state ESTABLISHED -j ACCEPT
iptables -A FORWARD -p tcp -s $internet --sport 20 -d $local_net --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT

And on the nat table i have
iptables -t nat -A POSTROUTING -s $local_net -o eth0 -j SNAT --to $extfw


First question :
Using active mode the data channel is opened by the server, are the data automaticly nated back to my machine using this postrouting rule or should i write a prerouting rule ?
Because the packets on the data channel don't know that they have to come back to my machine (192.168.0.226)

Second q:
Have anybody resolved that problems in another way, i read somewhere that the irc conn_tracking where interfering with the ftp one

Thanx for help

This lines i try in my firewall and it works

#i can make ftp everywhere
iptables -A INPUT -s $ALL -i $EXT_IF -d $EXT_IP -p tcp --sport 20:21 -j ACCEPT

# only $INT_LAN can ftp me
iptables -A INPUT -s $INT_LAN -i $EXT_IF -d $EXT_IP -p tcp --dport 20:21 -j ACCEPT

actually my pb is on the forward chain, input and output are ok.
I don't know if it's the firewall though because, i had pb with my windows workstation (as usual)
thanx anyway