[Sysadmins] iptables и ftp --- фича или баг?

Kharitonov A. Dmitry =?iso-8859-1?q?kharpost_=CE=C1_rambler=2Eru?=
Ср Ноя 19 22:47:37 MSK 2008 

[user на SERVER ~]$ sudo lsmod | egrep "ftp|ipt"
ipt_MASQUERADE          7808  1
ipt_REJECT              9472  705
iptable_mangle          7040  0
iptable_nat            11652  1
iptable_filter          7168  1
ip_tables              17604  3 iptable_mangle,iptable_nat,iptable_filter
ipt_REDIRECT            6272  0
ipt_LOG                10496  0
x_tables               18180  8 
xt_state,xt_tcpudp,ipt_MASQUERADE,ipt_REJECT,iptable_nat,ip_tables,ipt_REDIRECT,ipt_LOG
ip_nat_ftp              7680  0
ip_nat                 22060  4 
ipt_MASQUERADE,iptable_nat,ipt_REDIRECT,ip_nat_ftp
ip_conntrack_ftp       12016  1 ip_nat_ftp
ip_conntrack           56800  6 
xt_state,ipt_MASQUERADE,iptable_nat,ip_nat_ftp,ip_nat,ip_conntrack_ftp

делаю
-A INPUT -i wan -p tcp -m tcp --sport 20 ! --tcp-flags FIN,SYN,RST,ACK 
SYN -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i wan -p tcp -m tcp --sport 21 ! --tcp-flags FIN,SYN,RST,ACK 
SYN -m state --state RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -o wan -p tcp -m tcp --dport 20 -m state --state 
NEW,RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -o wan -p tcp -m tcp --dport 21 -m state --state 
NEW,RELATED,ESTABLISHED -j ACCEPT

запускаю firefox
ERROR
The requested URL could not be retrieved

An FTP protocol error occurred while trying to retrieve the URL: 
ftp://ftp.altlinux.org/pub/distributions/ 
<ftp://ftp.altlinux.org/pub/distributions/OpenMusic/>

Squid sent the following FTP command:*
*NLST
**and then received this reply*
*Use PORT or PASV first.
Your cache administrator is webmaster <mailto:webmaster>.
Generated Wed, 19 Nov 2008 23:35:09 GMT by server.dimahost 
(squid/2.6.STABLE13)

делаю
-A INPUT -i wan -p tcp -m tcp --sport 20 ! --tcp-flags FIN,SYN,RST,ACK 
SYN -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i wan -p tcp -m tcp --sport 21 ! --tcp-flags FIN,SYN,RST,ACK 
SYN -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i wan -p tcp -m tcp --sport 1024:65535 ! --tcp-flags 
FIN,SYN,RST,ACK SYN -m state --state RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -o wan -p tcp -m tcp --dport 20 -m state --state 
NEW,RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -o wan -p tcp -m tcp --dport 21 -m state --state 
NEW,RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -o wan -p tcp -m tcp --dport 1024:65535 -m state --state 
NEW,RELATED,ESTABLISHED -j ACCEPT

запускаю firefox
Всё нормально.

Я, так понимаю, не работают
ip_nat_ftp              7680  0
ip_conntrack_ftp       12016  1 ip_nat_ftp


Кто мне разъеснит: это фича или баг?

Подробная информация о списке рассылки Sysadmins