On 10/5/07, Feizhou <feizhou at graffiti.net> wrote: > > > > Do you have ip_nat_ftp loaded too? > > > > > > YES, both ip_conntrack_ftp and ip_nat_ftp. > > pls see below > > > > #Enable tracking mechanism > > /sbin/modprobe -a ip_conntrack_ftp ip_nat_ftp > > Hmm, I think the NEW for port 1024: is not necessary in FORWARD then. > The nat_ftp should handle it and thus make it ESTABLISHED,RELATED and > the ESTABLISHED,RELATED rule should therefore be sufficient. > That meas I do not nedd below rule i FORWARD chain. iptables -A FORWARD -p tcp -d 192.168.100.3 --dport 1024: -m state --state NEW -j ACCEPT So below 3 rules will be enough. iptables -t nat -A PREROUTING -p tcp -i eth0 -d 1.2.3.4 --dport 21 -j DNAT --to-destination 192.168.100.3:21 iptables -t nat -A PREROUTING -p tcp -i eth0 -d 1.2.3.4 --dport 1024: -j DNAT --to-destination 192.168.100.3 iptables -A FORWARD -p tcp -d 192.168.100.3 --dport 21 -m state --state NEW -j ACCEPT -- Thank you Indunil Jayasooriya -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.centos.org/pipermail/centos/attachments/20071005/f306a1cb/attachment-0005.html>