I have a PC on which I have a FTP server installed. I want to set the iptables rules to allow both active and passive FTP. I've tried the following code that people report is working, but it seems to block all traffic for me (pages won't load anymore etc)
#!/bin/bash
IPT=/sbin/iptables
$IPT -F
$IPT -X
$IPT -t nat -F
$IPT -t nat -X
$IPT -t mangle -F
$IPT -t mangle -X
/sbin/modprobe ip_conntrack
/sbin/modprobe ip_conntrack_ftp
# Setting default filter policy
$IPT -P INPUT DROP
$IPT -P OUTPUT ACCEPT
# Allow FTP connections @ port 21
$IPT -A INPUT  -p tcp --sport 21 -m state --state ESTABLISHED -j ACCEPT
$IPT -A OUTPUT -p tcp --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT
# Allow Active FTP Connections
$IPT -A INPUT -p tcp --sport 20 -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A OUTPUT -p tcp --dport 20 -m state --state ESTABLISHED -j ACCEPT
# Allow Passive FTP Connections
$IPT -A INPUT -p tcp --sport 1024: --dport 1024: -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A OUTPUT -p tcp --sport 1024: --dport 1024:  -m state --state ESTABLISHED,RELATED -j ACCEPT
In Passive Mode, the FTP server waits for the FTP client to send it a port and IP address to connect to. In Active mode, the server assigns a port and the IP address will be the same as the FTP client making the request.
This method of FTP is insecure, as a random unprivileged port is opened on the Server. This is a potential security issue and it isn't advisable to use the Passive mode of FTP.
That code ONLY allows incoming and outgoing FTP connections. It doesn't allow anything else in/out.
 $IPT -P INPUT DROP
Drops all incoming traffic. So if you start with that, you'll want to enable traffic into any other services you have running that you'd like to allow in. .
 $IPT -A INPUT  -p tcp --sport 21 -m state --state NEW,ESTABLISHED -j ACCEPT
 $IPT -A OUTPUT -p tcp --dport 21 -m state --state ESTABLISHED -j ACCEPT
This rule would allow incoming FTP traffic.
An explanation of what this script is/does is it deletes all of your existing IP Tables chains, then it adds rules to allow all outgoing traffic and block all incoming traffic except for FTP.
The arguments for the INPUT and OUTPUT lines need to be flipped in the # Allow FTP connections @ port 21 section otherwise new (active) FTP connections will be blocked.
# Allow FTP connections @ port 21
$IPT -A INPUT -p tcp --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT
$IPT -A OUTPUT  -p tcp --sport 21 -m state --state ESTABLISHED -j ACCEPT
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With