Problem setting up ftp server inside lan (iptables)

Hi,

I am trying to set up my ftp server located inside my lan. It thought
everything has been done, but when I try to access the ftp server from
the outside, it fails.

There's got to be something I'm missing here. Any help would be very
appreciated.

Thanks,

Sam



Here are the rules in iptables:

*********

WAN=$(nvram_get wan_ifname)

IPT=/usr/sbin/iptables

for T in filter nat mangle ; do
$IPT -t $T -F
$IPT -t $T -X
done

$IPT -t filter -A INPUT -m state --state INVALID -j DROP
$IPT -t filter -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
$IPT -t filter -A INPUT -p icmp -j ACCEPT
$IPT -t filter -A INPUT -i $WAN -p tcp -j REJECT --reject-with
tcp-reset
$IPT -t filter -A INPUT -i $WAN -j REJECT --reject-with
icmp-port-unreachable
$IPT -t filter -A FORWARD -m state --state INVALID -j DROP
$IPT -t filter -A FORWARD -m state --state RELATED,ESTABLISHED -j
ACCEPT
$IPT -t filter -A FORWARD -i $WAN -m state --state NEW,INVALID -j DROP

$IPT -t nat -A POSTROUTING -o $WAN -j MASQUERADE

****

I added the following to redirect port 20 and 21, and 10000-12000
(passive port range)

iptables -t nat -A PREROUTING -p tcp --dport 20 -j DNAT
--to-destination 192.168.1.20:20

iptables -t nat -A PREROUTING -p tcp --dport 21 -j DNAT
--to-destination 192.168.1.20:21

iptables -t nat -A PREROUTING -p tcp --dport 10000:12000 -j DNAT
--to-destination 192.168.1.20

Sam wrote:
( .. snip .. )
> $IPT -t filter -A FORWARD -m state --state INVALID -j DROP
> $IPT -t filter -A FORWARD -m state --state RELATED,ESTABLISHED -j
> ACCEPT

Add these lines here:

$IPT -t filter -A FORWARD -i $WAN -d 192.168.1.20 -p tcp --dport 21 -j
ACCEPT

Line above is needed as the next rule drops all new connections from WAN
to LAN.

> $IPT -t filter -A FORWARD -i $WAN -m state --state NEW,INVALID -j DROP