FTP server behind NAT

Michal Ludvig michal at logix.cz
Fri Apr 29 07:08:17 CEST 2005

Hi all,

I've got an FTP server sitting at in the internal network
and am trying to set up the firewall (2.4.29) to allow access to it from

Basically my setup is
1) DNAT one of our static external addresses to the FTP server:
iptables -t nat -A PREROUTING -i pvc0 -d a.b.c.142 \
         -j DNAT --to

2) Allow port 21 & related to FTP server and drop everything else
iptables -A FORWARD -i pvc0 -o internal -j pvc0-internal
iptables -A pvc0-internal -d -m state \
         --state NEW -p tcp --dport 21 -j ACCEPT
iptables -A pvc0-internal -m state --state ESTABLISHED,RELATED \
         -j ACCEPT
iptables -A pvc0-internal -j LOG
iptables -A pvc0-internal -j DROP

3) ip_conntrack_ftp is loaded

Now I can connect from outside to a.b.c.142 and authenticate to the FTP
server. But as soon as a new channel is to be opened (e.g. dir listing
or file download) the connection hangs.

In /proc/net/ip_conntrack there is a correct(?) entry:
EXPECTING: - use=1 proto=6 src=x.y.z.127 dst= \
           sport=0 dport=32985

However the packet from my client (x.y.z.127) is still logged and dropped:
IN=pvc0 OUT=internal SRC=x.y.z.127 DST= LEN=60 TOS=0x00
PREC=0x00 TTL=56 ID=15185 DF PROTO=TCP SPT=1557 DPT=32985 WINDOW=5840

It is really logged and dropped in this chain (added some
--log-prefix'es to verify).

Anyone has an idea what is wrong with my setup? Why isn't the packet
treated as RELATED and passed through?

Thanks in advance!

Michal Ludvig
* Personal homepage: http://www.logix.cz/michal

More information about the netfilter mailing list