Here is my configuration script. Ftp clients from my lan (specified in table "ids") can not retreive file lists from ftp servers can you help me please??? # FIREWALL DE IDS # echo "***** Ejecutando Firewall... ********************" # CARGA DE MODULOS modprobe ip_tables modprobe ip_conntrack modprobe ip_conntrack_ftp modprobe iptable_nat # variables LAN_IDS="172.16.0.0/255.255.0.0" LAN_DMZ="192.168.0.0/255.255.255.0" ANYIP="0/0" IP_LAN="172.16.100.100" IP_PUB="217.149.0.xx0" IP_DMZ="192.168.0.1" INT_LAN="eth0" INT_PUB="eth1" INT_DMZ="eth2" UNPRIVPORTS="1024:65535" #ortografia: DMZWEB_num-servidor_num-ip-virtual DMZWEB_0_0="192.168.0.100" DMZWEB_0_1="192.168.0.101" DMZWEB_1_0="192.168.0.200" PUBLIC_DMZWEB_0_0="217.149.0.xx1" PUBLIC_DMZWEB_0_1="217.149.0.xx2" PUBLIC_DMZWEB_1_0="217.149.0.xx5" DNS1="217.149.0.10" DNS2="217.149.0.11" # Añadir ip's publicas virtuales ip address add $PUBLIC_DMZWEB_0_0 dev $INT_PUB ip address add $PUBLIC_DMZWEB_0_1 dev $INT_PUB ip address add $PUBLIC_DMZWEB_1_0 dev $INT_PUB # CLEAR IPTABLES iptables -F iptables -X iptables -Z iptables -t nat -F # aciva el proxy arp para la dmz y para la lan #echo 1 > /proc/sys/net/ipv4/conf/eth2/proxy_arp #echo 1 > /proc/sys/net/ipv4/conf/eth0/proxy_arp # activa el forwarding echo 1 > /proc/sys/net/ipv4/ip_forward # proteccion anti spoofing for f in /proc/sys/net/ipv4/conf/*/rp_filter; do echo 1 > $f; done #*/# #proteccion TCP SYN Cookie echo 1 > /proc/sys/net/ipv4/tcp_syncookies #activa el always defrag #echo 1 > /proc/sys/net/ipv4/ip_always_defrag #proteccion echo broadcast #echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_bogus_error_broadcasts #desactiva aceptacion de redireccon icmp for f in /proc/sys/net/ipv4/conf/*/accept_redirects; do echo 0 > $f done #*/# #deshabilita los paquetes SRP (Source Route) for f in /proc/sys/net/ipv4/conf/*/accept_source_route; do echo 0 > $f done #*/# #registra los spoofed packets, source routed packets, redirect packets for f in /proc/sys/net/ipv4/conf/*/log_martians; do echo 1 > $f done #*/# # Politica por defecto echo "Configurando políticas por defecto" iptables -P INPUT DROP iptables -P OUTPUT DROP iptables -P FORWARD DROP # Crear nuevas tablas echo "Creando nuevas tablas" iptables -N dmz iptables -N ids iptables -N loopback #iptables -N lan_dmz echo "Relacionando nuevas tablas" iptables -A FORWARD -s $ANYIP -d $LAN_DMZ -j dmz iptables -A FORWARD -s $LAN_DMZ -j dmz iptables -A FORWARD -s $LAN_IDS -d $ANYIP -j ids iptables -A FORWARD -s $ANYIP -d $LAN_IDS -j ids iptables -A INPUT -s 127.0.0.1 -d 127.0.0.1 -j loopback iptables -A OUTPUT -s 127.0.0.1 -d 127.0.0.1 -j loopback #iptables -A lan_dmz -j ACCEPT #iptables -A lan_dmz -j LOG --log-prefix "#lan-dmz##" # Logs generales echo "Activando logs" #iptables -A INPUT -j LOG --log-prefix "##IN## " #iptables -A OUTPUT -j LOG --log-prefix "##OUT## " #iptables -A FORWARD -j LOG --log-prefix "##FWD## " # NAT echo "Configurando NAT..." iptables -t nat -A POSTROUTING -o $INT_PUB -j MASQUERADE #iptables -t nat -A POSTROUTING -j LOG --log-prefix "##NATpost##" #PORT FORWARDING - NAT IN echo "Configurando PNAT ..." #transparent proxy # # iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to 192.168.0.10:80 iptables -t nat -A PREROUTING -p tcp -d $PUBLIC_DMZWEB_0_0 -j DNAT --to-destination $DMZWEB_0_0 iptables -t nat -A PREROUTING -p tcp -d $PUBLIC_DMZWEB_0_1 -j DNAT --to-destination $DMZWEB_0_1 iptables -t nat -A PREROUTING -p tcp -d $PUBLIC_DMZWEB_1_0 -j DNAT --to-destination $DMZWEB_1_0 #iptables -t nat -A PREROUTING -j LOG --log-prefix "##NATpre##" #SERVICIOS PERMITIDOS LAN - FUERA echo "Permisos de salida desde ids_lan..." #tcp iptables -A ids -p tcp -s $LAN_IDS --dport 20 -j ACCEPT iptables -A ids -p tcp -s $LAN_IDS --dport 21 -j ACCEPT iptables -A ids -p tcp -s $LAN_IDS --dport 20 -j LOG --log-prefix "##ftp##" iptables -A ids -p tcp -s $LAN_IDS --dport 21 -j LOG --log-prefix "##ftp##" iptables -A ids -p tcp -s $LAN_IDS --dport 23 -j ACCEPT iptables -A ids -p tcp -s $LAN_IDS --dport 25 -j ACCEPT iptables -A ids -p tcp -s $LAN_IDS --dport 80 -j ACCEPT iptables -A ids -p tcp -s $LAN_IDS --dport 110 -j ACCEPT iptables -A ids -p tcp -s $LAN_IDS --dport 137 -j ACCEPT iptables -A ids -p tcp -s $LAN_IDS --dport 443 -j ACCEPT iptables -A ids -p tcp -s $ANYIP --dport $UNPRIVPORTS -j ACCEPT #icmp iptables -A ids -p icmp -j ACCEPT #udp iptables -A ids -p udp -s $LAN_IDS -d $DNS1 --dport 53 -j ACCEPT iptables -A ids -p udp -s $LAN_IDS -d $DNS2 --dport 53 -j ACCEPT iptables -A ids -p udp -s $DNS1 -d $LAN_IDS --dport $UNPRIVPORTS -j ACCEPT iptables -A ids -p udp -s $DNS2 -d $LAN_IDS --dport $UNPRIVPORTS -j ACCEPT #el resto lo deniego iptables -A ids -j LOG --log-prefix "##DENY ids##" iptables -A ids -j DROP # LOOPBACK iptables -A loopback -j ACCEPT iptables -A loopback -j LOG --log-prefix "##loopback##" echo "Habilitando acceso a servidores Web DMZ..." iptables -A dmz -p tcp --dport 20 -d $DMZWEB_0_0 -j ACCEPT iptables -A dmz -p tcp --dport 20 -d $DMZWEB_0_1 -j ACCEPT iptables -A dmz -p tcp --dport 20 -d $DMZWEB_1_0 -j ACCEPT iptables -A dmz -p tcp --dport 21 -d $DMZWEB_0_0 -j ACCEPT iptables -A dmz -p tcp --dport 21 -d $DMZWEB_0_1 -j ACCEPT iptables -A dmz -p tcp --dport 21 -d $DMZWEB_1_0 -j ACCEPT iptables -A dmz -p tcp --dport 80 -d $DMZWEB_0_0 -j ACCEPT iptables -A dmz -p tcp --dport 80 -d $DMZWEB_0_1 -j ACCEPT iptables -A dmz -p tcp --dport 80 -d $DMZWEB_1_0 -j ACCEPT #iptables -A dmz -p tcp --dport 137 -d $DMZWEB_0_0 -j ACCEPT #iptables -A dmz -p tcp --dport 137 -d $DMZWEB_1_0 -j ACCEPT #iptables -A dmz -p tcp --dport 137 ! --syn -s $DMZWEB_0_0 -j ACCEPT #iptables -A dmz -p tcp --dport 137 ! --syn -s $DMZWEB_1_0 -j ACCEPT iptables -A dmz -p tcp --dport $UNPRIVPORTS -s $DMZWEB_0_0 -j ACCEPT iptables -A dmz -p tcp --dport $UNPRIVPORTS -s $DMZWEB_0_1 -j ACCEPT iptables -A dmz -p tcp --dport $UNPRIVPORTS -s $DMZWEB_1_0 -j ACCEPT #tienda virtual (tpv) iptables -A dmz -p tcp -s $LAN_DMZ -d 193.24.33.9 --dport 56005 -j ACCEPT #permitit consultas a los dns autorizados "ojo falta el syn!!! y el source port" iptables -A dmz -p udp -s $LAN_DMZ -d $DNS1 --dport 53 -j ACCEPT iptables -A dmz -p udp -s $LAN_DMZ -d $DNS2 --dport 53 -j ACCEPT iptables -A dmz -p udp -s $DNS1 -d $LAN_DMZ --dport $UNPRIVPORTS -j ACCEPT iptables -A dmz -p udp -s $DNS2 -d $LAN_DMZ --dport $UNPRIVPORTS -j ACCEPT #el resto lo deniego iptables -A dmz -j LOG --log-prefix "##DENY dmz##" iptables -A dmz -j DROP echo "***** Fin de firewall script ********************" Thanks