Security

Iptables Rule to Allow Incoming FTP

Port 21 is used to establish the connection, couse ftp server needs a channel to transfer data. So, for data transfer possible, we must allow port 20.

To make sure passive ftp connections are not rejected, do following;

modprobe ip_conntrack_ftp

Allow FTP connections on port 21 incoming and outgoing

# iptables -A INPUT -p tcp -m tcp –dport 21 -m conntrack –ctstate ESTABLISHED,NEW -j ACCEPT -m comment –comment “Allow ftp connections on port 21”
# iptables -A OUTPUT -p tcp -m tcp –dport 21 -m conntrack –ctstate NEW,ESTABLISHED -j ACCEPT -m comment –comment “Allow ftp connections on port 21”

If listen_port another 21, such as 2001, use the following command;

# iptables -A INPUT -p tcp -m tcp –dport 2001 -m conntrack –ctstate ESTABLISHED,NEW -j ACCEPT -m comment –comment “Allow ftp connections on port 2001”
# iptables -A OUTPUT -p tcp -m tcp –dport 2001 -m conntrack –ctstate NEW,ESTABLISHED -j ACCEPT -m comment –comment “Allow ftp connections on port 2001”

Then allow FTP port 20 for active connections incoming and outgoing,

# iptables -A INPUT -p tcp -m tcp –dport 20 -m conntrack –ctstate ESTABLISHED,RELATED -j ACCEPT -m comment –comment “Allow ftp connections on port 20”
# iptables -A OUTPUT -p tcp -m tcp –dport 20 -m conntrack –ctstate ESTABLISHED -j ACCEPT -m comment –comment “Allow ftp connections on port 20”

Finally allow FTP passive inbound traffic

# iptables -A INPUT -p tcp -m tcp –sport 1024: –dport 1024: -m conntrack –ctstate ESTABLISHED -j ACCEPT -m comment –comment “Allow passive inbound connections”
# iptables -A OUTPUT -p tcp -m tcp –sport 1024: –dport 1024: -m conntrack –ctstate ESTABLISHED,RELATED -j ACCEPT -m comment –comment “Allow passive inbound connections”

For more on FTP and firewall problems see: http://slacksite.com/other/ftp.html#active

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s