On Fri, Jul 18, 2003 at 10:34:14AM +0700, Aramico wrote: aramico> I 'm implementing ipchains in my gateway server, aramico> so, all the thing I've done were masquerading all the clients connection, aramico> so, port 20,21,22,23,25,110,80,53 (ftp data,ftp, ssh,telnet,mail, http, and dns are masqueraded. Normally you don't masquerade individual ports; why did you do that? Just masquerade your internal IP block to your external address: ipchains -A forward -s 192.168.0.1/24 -d 0.0.0.0/0 -j MASQ aramico> My clients got no problem using the internet for http, mail access, aramico> but they get problem on ftp, they could not connect, aramico> the error was " ftp: connect :Unknown error number" Active (PORT) FTP doesn't work across NAT without special help. Try using passive (PASV) FTP instead of active FTP (enter "passive" on ftp command line), or switch to iptables, which can handle NATting FTP: http://www.linuxchix.org/content/courses/security/connection_tracking -- Charles R. Anderson <cra@wpi.edu> / http://angus.ind.wpi.edu/~cra/ PGP Key ID: 49BB5886 Fingerprint: EBA3 A106 7C93 FA07 8E15 3AC2 C367 A0F9 49BB 5886