Hello, Wojciech Ziniewicz a écrit :
I give my customers public ips with SNAT/DNAT (we call it 1:1) ip mapping. When A client with lan ip 10.100.1.123 has public ip 217.17.x.123 he can use all the apps he want (apps that demand public ip or forwardded port) so everything seems to be okay...
No, he can't "use all the apps he want". NAT, and even static 1:1 NAT, breaks some applications which transmit network addresses in the payload to establish dynamic connections. It includes FTP, IRC DCC, H.323, SIP (voice over IP), RTSP (video streaming)...
but ... a) active ftp does not work
FTP is the most common of those applications which can be broken by 1:1 static NAT. You need to "help" the application with a "helper" iptables module. There are usually two modules for a given protocol : for FTP, they are ip_conntrack_ftp (keeps track of FTP connections) and ip_nat_ftp (NAT FTP data connections and, most important, mangles network addresses in the control connections payload).