I think I got it, by thinking a bit more clearly and watching my ipchains filter with more logging enabled. in ftp-proxy.conf the only lines uncommented are: DestinationAddress 10.1.1.1 DestinationPort 21 Listen 195.49.62.59 PassiveMinDataPort 41000 PassiveMaxDataPort 41999 in my ipchains ruleset I have: # allow incoming ftp command connections on VIP -A input -j ACCEPT -i eth1 -p tcp -s ${ALL} $NPORTS -d ${VIP} 21 $L # data connections in active mode -A input -j ACCEPT -i eth1 -p tcp -s ${ALL} $NPORTS -d ${VIP} 20 $L # allow data connections in passive mode -A input -j ACCEPT -i eth1 -p tcp -s ${ALL} $NPORTS -d ${VIP} ${FTP_PORTS} $L where FTP_PORTS="41000:41999" NPORTS="1024:65535" ALL=0/0 VIP=195.49.62.59 Now I will have to find out how to configure a second proxy to allow inside clients to connect to outside ftp servers. --------------------------------------- | | eth1: real address $DEP, virtual address eth1:0 $VIP | DEP=195.49.62.58 VIP=195.49.62.59 +---------------------+ | LVS-NAT director | running kernel 2.2.19 | ipchains firewall | | ftp-proxy | +---------------------+ | eth0: 10.1.1.254 hostname="w0" | | switch--------------- other real http servers w2, w3, w4, ... | | eth0: 10.1.1.1 hostname="w1" +---------------------+ | http server | running kernel 2.4.5 | ftp server | ----------------------+