IPCOP + Firewall + FTP Passif

Bonjour,

Malgrès mes différentes recherches sur la toile, je n'arrive pas à configurer mon script Netfilter afin qu'il laisse passer les utilisateurs (du lan vert) qui souhaitent accèder à un serveur ftp (que je n'administre pas) qui est configuré pour se connecter en mode ftp passif.

voici mon une partie script ainsi qu'un état des modules lancés

modprobe ip_conntrack_ftp  
modprobe ip_nat_ftp 


red=eth2
green=eth0
blue=eth1


#Protocoles
http=80,81,8080
https=443
ftp=20,21
ftps=989
pop=110
imap=143,220
imaps=993
smtp=25,2525
time=123,37,119
pxe=67
snmp=161
epmap=135
isakmp=500
ldap=389,636,3268,3269
dns=53
cifs=445,901
kerberos=88
wins=1512,42



# GREEN -> RED
iptables -A CUSTOMFORWARD -i $green -o $red -j DROP
iptables -I CUSTOMFORWARD -i $green -o $red -p tcp -m multiport --dports $http,$https -j ACCEPT
iptables -I CUSTOMFORWARD -i $green -o $red -p tcp -m multiport --dports $ftp,$ftps -j ACCEPT
iptables -I CUSTOMFORWARD -i $green -o $red -p udp -m multiport --dports $ftp,$ftps -j ACCEPT
iptables -I CUSTOMFORWARD -i $green -o $red -p tcp -m multiport --dports $pop,$imap,$imaps,$smtp -j ACCEPT
iptables -I CUSTOMFORWARD -i $green -o $red -p tcp -m multiport --dports $time -j ACCEPT
iptables -I CUSTOMFORWARD --protocol tcp --destination-port $ftp -j ACCEPT
iptables -I CUSTOMFORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -I CUSTOMFORWARD -i $green -o $red -p icmp -j ACCEPT

......

Liste des modules lancés

Module				  Size  Used by	Not tainted
ipt_REDIRECT			 696   1  (autoclean)
ipsec_twofish		  35332   0  (unused)
ipsec_sha2			  7800   0  (unused)
ipsec_sha1			 18488   2
ipsec_serpent		  11076   0  (unused)
ipsec_md5			   4440   0  (unused)
ipsec_cast			 15748   0  (unused)
ipsec_blowfish		  8420   0  (unused)
ipsec_aes			  31624   2
ipsec_3des			 17052   0  (unused)
ipsec				 255300   2  [ipsec_twofish ipsec_sha2 ipsec_sha1 ipsec_serpent ipsec_md5 ipsec_cast ipsec_blowfish ipsec_aes ipsec_3des]
ipt_MASQUERADE		  1272   1  (autoclean)
ipt_multiport			600  12  (autoclean)
ip_nat_ftp			  2448   0  (unused)
ip_conntrack_ftp		3568   1
ipt_mark				 440   2  (autoclean)
ipt_TCPMSS			  2168   1  (autoclean)
ipt_state				504  16  (autoclean)
ipt_REJECT			  2968   1  (autoclean)
ipt_LOG				 3616   9  (autoclean)
ipt_limit				792   9  (autoclean)
iptable_mangle		  2008   1  (autoclean)
iptable_filter		  1612   1  (autoclean)
8139too				13128   3
mii					 2112   0  [8139too]
crc32				   2880   0  [8139too]
ip_nat_quake3		   1800   0  (unused)
ip_conntrack_quake3	 1896   1
ip_nat_proto_gre		1092   0  (unused)
ip_nat_pptp			 2148   0  (unused)
ip_conntrack_pptp	   2601   1
ip_conntrack_proto_gre	1973   0  [ip_nat_pptp ip_conntrack_pptp]
ip_nat_mms			  2672   0  (unused)
ip_conntrack_mms		2832   1
ip_nat_irc			  1968   0  (unused)
ip_conntrack_irc		2768   1
ip_nat_h323			 2372   0  (unused)
ip_conntrack_h323	   2153   1
iptable_nat			15878   8  [ipt_REDIRECT ipt_MASQUERADE ip_nat_ftp ip_nat_quake3 ip_nat_proto_gre ip_nat_pptp ip_nat_mms ip_nat_irc ip_nat_h323]
ip_conntrack		   18928   7  [ipt_REDIRECT ipt_MASQUERADE ip_nat_ftp ip_conntrack_ftp ipt_state ip_nat_quake3 ip_conntrack_quake3 ip_nat_pptp ip_conntrack_pptp ip_conntrack_proto_gre ip_nat_mms ip_conntrack_mms ip_nat_irc ip_conntrack_irc ip_nat_h323 ip_conntrack_h323 iptable_nat]
ip_tables			  10976  14  [ipt_REDIRECT ipt_MASQUERADE ipt_multiport ipt_mark ipt_TCPMSS ipt_state ipt_REJECT ipt_LOG ipt_limit iptable_mangle iptable_filter iptable_nat]
acm					 5120   0  (unused)
keybdev				 1764   0  (unused)
hid					19908   0  (unused)
input				   3104   0  [keybdev hid]
sd_mod				 10284   0  (unused)
usb-storage			24624   0  (unused)
scsi_mod			   52920   1  [sd_mod usb-storage]
usb-uhci			   20528   0  (unused)
usbcore				56236   1  [acm hid usb-storage usb-uhci]
apm					 8644   0