How to route FTP via DMZ with iptables?

My Linux firewall has 3 interfaces eth0 to Internet, eth1 to local LAN (192.168.1.0/24) and eth2 to DMZ (192.168.2.0/24)
In the DMZ area I have a FTP server (192.168.2.253). The FTP server in the DMZ and the Linux Firewall (192.168.1.254) has iptables enabled.

FTP is working from the local network (192.168.1.0/24) to the FTP server in DMZ.
I added these lines to iptables on the firewall (192.168.1.254)

# Network 1 forwarded outgoing client request to network 2 (DMZ 1)
iptables -A FORWARD -i eth1 -p tcp -s 192.168.1.0/24 -d 192.168.2.0/24 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A FORWARD -o eth1 -p tcp -s 192.168.2.0/24 -d 192.168.1.0/24 -m state --state ESTABLISHED,RELATED -j ACCEPT

The FTP server in the DMZ is accepting all incoming requests, active and passive

But connection from the Internet fails just after a successful logon.

I addes these lines to iptables on the firewall (192.168.1.254)

# Network 1 FTP forwarded incoming client request
iptables -t nat -A PREROUTING -i eth0 -p tcp -s 0/0 --sport 1024:65535 -d 192.168.254.2 --dport 21 -j DNAT --to 192.168.2.253
iptables -A network2_in -p tcp -s 0/0 --sport 1024:65535 -d 192.168.2.253 --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A network2_out -p tcp -s 192.168.2.253 --sport 21 -d 0/0 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
iptables -A network2_in -p tcp -s 0/0 --sport 1024:65535 -d 192.168.2.253 --dport 1024:65535 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A network2_out -p tcp -s 192.168.2.253 --sport 1024:65535 -d 0/0 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT

This is what happened when connection to the FTP server in DMZ over the Internet:

H:\>ftp ftp.xxxxx.eu
Verbonden met ftp.xxxxx.eu.
220 Armada Linux FTP server ready
Gebruiker (ftp.xxxxx.eu:(none)): xxxxx
331 Please specify the password.
Wachtwoord:
230 Login successful.
ftp> ls
500 Illegal PORT command.
425 Use PORT or PASV first.
ftp> quote PASV
227 Entering Passive Mode (192,168,254,2,243,17)
ftp> ls
425 Failed to establish connection.
ftp>

The logon is successful but ftp-data exchange fails.

my vsftp.conf file:

# /etc/vsftpd.conf: OpenNA, Inc. (last updated 2007 Jan 09)
#
# LOCAL USERS FTP ACCESS CONFIGURATION BEGING HERE
# ------------------------------------------------
# Please, remove all configurations below, if you don't want to provide
# local users FTP access on your server.

anonymous_enable=NO
local_enable=YES
write_enable=YES
local_umask=002
max_clients=100
max_per_ip=10
listen=YES
xferlog_enable=YES
connect_from_port_20=YES
one_process_model=NO
use_localtime=YES
nopriv_user=ftp
ftpd_banner=Armada Linux FTP server ready
chroot_local_user=YES
pasv_enable=YES
pasv_min_port=1024
pasv_max_port=65535
log_ftp_protocol=YES

Could you shine a light on this?

BobStart Free Trial