Linux Bash: Setting iptables rules to allow both active and passive FTP
That code ONLY allows incoming and outgoing FTP connections. It doesn't allow anything else in/out.
$IPT -P INPUT DROP
Drops all incoming traffic. So if you start with that, you'll want to enable traffic into any other services you have running that you'd like to allow in. .
$IPT -A INPUT -p tcp --sport 21 -m state --state NEW,ESTABLISHED -j ACCEPT
$IPT -A OUTPUT -p tcp --dport 21 -m state --state ESTABLISHED -j ACCEPT
This rule would allow incoming FTP traffic.
An explanation of what this script is/does is it deletes all of your existing IP Tables chains, then it adds rules to allow all outgoing traffic and block all incoming traffic except for FTP.
Appropriate iptables rules for an FTP server in active \ passive mode
In order to allow FTP you need the following rules on the server:
Allow control connections initiated by the client to port 21, as follows:
iptables -A INPUT -p tcp -m tcp --dport 21 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT -m comment --comment "Allow ftp connections on port 21"
iptables -A OUTPUT -p tcp -m tcp --sport 21 -m conntrack --ctstate ESTABLISHED -j ACCEPT -m comment --comment "Allow ftp connections on port 21"For active mode, allow data connections initiated by the server from port 20, as follows:
iptables -A OUTPUT -p tcp -m tcp --sport 20 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -m comment --comment "Allow ftp connections on port 20"
iptables -A INPUT -p tcp -m tcp --dport 20 -m conntrack --ctstate ESTABLISHED -j ACCEPT -m comment --comment "Allow ftp connections on port 20"For passive mode, allow data connections initiated by the client on unprivileged ports:
iptables -A INPUT -p tcp -m tcp --sport 1024: --dport 1024: -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -m comment --comment "Allow passive inbound connections"
iptables -A OUTPUT -p tcp -m tcp --sport 1024: --dport 1024: -m conntrack --ctstate ESTABLISHED -j ACCEPT -m comment --comment "Allow passive inbound connections"
The ordinary conntrack
modules should correctly track when a RELATED
data connection is established in active mode, however you might need to load the nf_conntrack_ftp
module for correctly tracking when such connections are established in passive mode:
- Check if it's loaded with
lsmod | grep nf_conntrack_ftp
. - Load it with
modprobe nf_conntrack_ftp
.
Alternatively, you may replace the RELATED
state with the NEW
state, which is less secure, but would definitely get the job done.
This link supplies a concise summary of the rationale for the above rules.
FTP issue with iptables
First of all, the order of the rules is important. Since you have specified the REJECT
rule before the FTP ACCEPT
rules, FTP
packets are rejected by that rule before reaching the relevant rules and having any chance of getting accepted.
Secondly, the link you've mentioned in your question discusses the rules required by the server, and not by the client. The appropriate rules for the client are opposite.
Since the default policy of the OUTPUT
chain is ACCEPT
, and you have allowed packets of ESTABLISHED
or RELATED
connections into your machine, passive-mode FTP
should already be supported by your rule set.
In order to support active-mode FTP
as well, you need to allow incoming TCP
connections originating from the server at port 20
, as follows:
iptables -A INPUT -p tcp --sport 20 -j ACCEPT
This link supplies a concise summary of the rationale for the above rules.
Since in active-mode FTP
the data connection's hosts and ports can be reliably and easily determined from the control connection's hosts and ports, I think that loading the nf_conntrack_ftp
module would prove the ad-hoc rule for allowing incoming TCP
connections originating from the server at port 20
redundant. I haven't checked this, but loading the module with modprobe nf_conntrack_ftp
might suffice because incoming RELATED
and ESTABLISHED
traffic is allowed. This approach would be preferable since it's a bit more secure.
200 PORT command successful. Consider using PASV. 425 Failed to establish connection
Try using the passive
command before using ls
.
From FTP client, to check if the FTP server supports passive mode, after login, type quote PASV
.
Following are connection examples to a vsftpd server with passive mode on and off
vsftpd
with pasv_enable=NO
:
# ftp localhost
Connected to localhost.localdomain.
220 (vsFTPd 2.3.5)
Name (localhost:john): anonymous
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> quote PASV
550 Permission denied.
ftp>
vsftpd
with pasv_enable=YES
:
# ftp localhost
Connected to localhost.localdomain.
220 (vsFTPd 2.3.5)
Name (localhost:john): anonymous
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> quote PASV
227 Entering Passive Mode (127,0,0,1,173,104).
ftp>
Related Topics
Posix Shared Memory and Semaphores Permissions Set Incorrectly by Open Calls
Bash: Run an Executable File in Background
How to Confirm Sftp File Delivery
Replace Every N'Th Occurrence in Huge Line in a Loop
How to Get Multi-Line String Between Two Braces Containing a Specific Search String
Replace All Lines That Do Not Contain Matched String
How to Rename Multiple Files Beginning with a Unix Timestamp - Imapsync Issue
Oracle:Io Exception: the Network Adapter Could Not Establish the Connection
Using Gnu/Linux System Call 'Splice' for Zero-Copy Socket to Socket Data Transfers in Haskell
How to *Only* Get the Number of Bytes Available on a Disk in Bash
Why Characters Received in Serial Connection Only After Pressing Enter
Print Field 'N' to End of Line
Hosting Two Website Under One Web App - Azure Services
How to Use Netcat for Windows to Send a Binary File to a Tcp Connection
Size() VS Ls -La VS Du -H Which One Is Correct Size
Specifying Non-Standard Baud Rate for Ftdi Virtual Serial Port Under Linux