As read here : http://www.sns.ias.edu/~jns/security/iptables/iptables_conntrack.html modprobe ip_conntrack_ftp would give me the ability to use active ftp if I have (pseudo/simplified code) iptables -A FORWARD -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A FORWARD -j DROP but I cant use active ftp, WHAT IS WRONG.. eth0 is the internal interface..