Hi,
Basically without the passive FTP Mod, the server attempts to connect with a passive tunnel from the local internal system, which the FTP server can't connect back on, as it's not the original address due to the IP NAT.
ps. DCC means direct client-to-client, and refers to a method used in IRC that bypasses the use of channels, providing a direct link between two IRC users' computers. DCC chat is a direct communications link, while DCC send and DCC receive are direct file transfers.
Check this out on what you need to look into for 7.1
/Raz
Taken from:
http://www.boingworld.com/workshops/...-tutorial/#4.1
4.1 Passive FTP but no DCC, extra read for the interested
This is one of the really nice parts about the new iptables support in the 2.4.x kernels, you can for example allow Passive FTP connections, but not allow DCC send functions with the new state matching code. You may ask yourself how, well, its quite simple once you get to think of it=). Just compile the ip_conntrack_irc and ip_conntrack_ftp modules in the kernel. What these modules does is that they add support to the conntrack module so it can distinguish an passive FTP connection or an DCC send connection, without these modules they can't recognize these connections. If you for example want to allow passive FTP, but not DCC send, you would load the ip_conntrack_ftp module, but not the ip_conntrack_irc module and then do:
/sbin/iptables -A INPUT -p TCP -m state --state RELATED -j ACCEPT
to allow passive FTP but not DCC. If you would want to do the reversed, you'd just load the ip_conntrack_irc module, but not the ip_conntrack_ftp module.