Hello, Mahdi Rahimi a écrit :
My NAT(PREROUTING) and Filter table default Policy is DROP.
Bad idea. The nat table is not intended for filtering. Just leave the nat table chains default policies to ACCEPT, and do the filtering in the filter table chains.
hello I have problem in our clients's outside ftp access via debian. My LAN users can't start data transfer to outside FTP servers, but they can establish connection to port 21 on the outside ftp server. I want to my LAN users use ftp clinets in ACTIVE mode. my rules: ***nat -A PREROUTING -i $LAN -s 192.168.1.0/26 -p tcp -m multiport --dport 21 -j ACCEPT
As I said above, the nat table is not intended for filtering, and it is a bad idea to filter in the nat table.
-A POSTROUTING -s 192.168.1.0/26 -d 0/0 -o eth1 -j MASQUERADE ***filter -A FORWARD -i $LAN -o $EXT -s 192.168.1.0/26 -p tcp --dport 21 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT -A FORWARD -i $EXT -o $LAN -p tcp --sport 21 -m state --state ESTABLISHED,RELATED -j ACCEPT ************* modprobe ip_conntrack_ftp , ip_conntrack, ip_nat_ftp
In order for active FTP transfers to work, you need to :- accept the control connection (port 21) NEW and ESTABLISHED packets from inside to outside ; OK, done in the first rule in FORWARD ; - accept the control connection ESTABLISHED packets from outside to inside ; OK, done in the second FORWARD rule ; - accept the data connection RELATED and ESTABLISHED packets from outside to inside ; KO, not done in either rule ; - accept the data connection (port != 21) ESTABLISHED packets from inside to outside ; KO, not done in either rule.
The rule -A FORWARD -i $EXT -o $LAN -m state --state ESTABLISHED,RELATED \ -p tcp -j ACCEPTalone won't solve the problem because it accepts only data connection packets from outside to inside ; packets from inside to outside are still dropped. So you also need something like
-A FORWARD -o $EXT -i $LAN -m state --state ESTABLISHED \ -p tcp -j ACCEPT