Iptables Open FTP Port 21 and 20 to enable your
Linux firewall in and out FTP server data transfer to flow
I've recently build a firewall on a Linux server and I have
encountered some issues with the FTP traffic motion whenever, an
authenticated user to the FTP server tries to launch a data file
transfer.
This issue is quite normal since, my Iptables firewall is
restrictive and is of the type:
deny everything by default
except the allowed
It's pretty normal that this kind of restrictive firewall does
create problems for transfers intiated to the FTP server
configured, since it drops out traffic to a cetrain ports requested
by the FTP client to be spawned on therefore get opened on the
server.
The FTP protocol is historically famous for this kind of problems
since quite a long, most of the people who had already some
experience with FTP know that FTP clients and servers support two
general types of FTP data transfers:
Active and
Passive .
It's less likely that an user has problems whilst transferring data
in Passive FTP mode, however it's a common problem that Active FTP
transfers gives problems with transfers.
For more information on
the exact way an FTP transfer
works and passive and active mode please read here .
In order to prevent problems with your FTP server Active transfer
it's recommendable that a few
iptables firewall rules as well as
kernel modules are present amongst your firewall
definitions.
So whenever you intend to include an FTP server with your newly
configured server for the end customers be sure to have the
following kernel modules loaded:
linux-server:~# modprobe ip_conntrack
linux-server:~# modprobe ip_conntrack_ftp
Next we have to add the proper iptables rules to properly manage
incoming requests on port 21 to your firewall script file:
iptables -A INPUT -p tcp -s 0/0 --sport 1024:65535 -d 1.2.3.4
--dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp -s 1.2.3.4 --sport 21 -d 0/0 --dport
1024:65535 -m state --state ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp -s 0/0 --sport 1024:65535 -d 1.2.3.4
--dport 1024:65535 -m state --state ESTABLISHED,RELATED -j
ACCEPT
iptables -A OUTPUT -p tcp -s 1.2.3.4 --sport 1024:65535 -d 0/0
--dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp -s 1.2.3.4 --sport 20 -d 0/0 --dport
1024:65535 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p tcp -s 0/0 --sport 1024:65535 -d 1.2.3.4
--dport 20 -m state --state ESTABLISHED -j
ACCEPT
In the above firewall rules it's necessery to change the
1.2.3.4
ip address with your FTP server public accessible ipv4
address.
In preparing this article I used as a basis
iptables
open FTP port 21 article which is a nice reading and sheds some
good light on how to fix the FTP transfer issues discussed
above.
That should be enough now reload your firewall rules flushing off
the old firewall rules and loading the new ones and hopefully all
should be done, your FTP transfers should start flowing fine.