Hi all, I want to run vsftp behind a firewall.(i.e DMZ zone) . It is runnig as passive ftp. the theroy behind passive ftp is , - FTP server's port 21 from anywhere ( Client initiates connection) - FTP server's port 21 to ports > 1024 (Server responds to client's control port) - FTP server's ports > 1024 from anywhere (Client initiates data connection to random port specified by server) - FTP server's ports > 1024 to remote ports > 1024 (Server sends ACKs (and data) to client's data port) Then, How can I write DNAT rules. pls assume 1.2.3.4 is the ip of the internert interface. #DNAT from Internet to the box running VSFTP @ 192.168.100.3 iptables -t nat -A PREROUTING -p tcp -i eth0 -d 1.2.3.4 --dport 21 -j DNAT --to-destination 192.168.100.3:21 iptables -t nat -A PREROUTING -p tcp -i eth0 -d 1.2.3.4 --dport 1024: -j DNAT --to-destination 192.168.100.3 And also #connect to below ip (actual destination ip) with below ports,due to DNATing iptables -A FORWARD -p tcp -d 192.168.100.3 --dport 21 -m state --state NEW -j ACCEPT iptables -A FORWARD -p tcp -d 192.168.100.3 --dport 1024: -m state --state NEW -j ACCEPT R u okay with the above 4 rules ? If WRONG, pls write down your rules. I am going to put this vsftp server in to PRODUCTION USE. Pls also make sure , my firewall has below rules such as DROP, ESTABLISHED,RELATED. iptables -P INPUT DROP iptables -P FORWARD DROP iptables -P OUTPUT DROP iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT YOUR comments. -- Thank you Indunil Jayasooriya -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.centos.org/pipermail/centos/attachments/20071005/2a45de33/attachment-0004.html>