Posts Tagged ‘Iptables Open FTP Port 21 and 20 to enable your Linux firewall in and out FTP server data transfer to flow’

Iptables Open FTP Port 21 and 20 to enable your Linux firewall in and out FTP server data transfer to flow

Monday, June 14th, 2010

I’ve recently build a firewall on a Linux server and I have encountered some issues with the FTP traffic motion whenever,an authenticated user to the FTP server tries to launch a data file transfer.
This issue is quite normal since, my Iptables firewall is restrictive and is of the type: deny everything by default except the allowed
It’s pretty normal that this kind of restrictive firewall does create problems for transfers intiated to the FTP server configured, since it drops out traffic to a cetrain ports requested by the FTP client to be spawned on therefore get opened on the server.
The FTP protocol is historically famous for this kind of problems since quite a long, most of the people who had already some experience with FTP know that FTP clients and servers support two general types of FTP data transfers: Active and Passive .
It’s less likely that an user has problems whilst transferring data in Passive FTP mode, however it’s a common problem that Active FTP transfers gives problems with transfers.
For more information on the exact way an FTP transfer works and passive and active mode please read here .
In order to prevent problems with your FTP server Active transfer it’s recommendable that a few iptables firewall rules as well as kernel modules are present amongst your firewall definitions.

So whenever you intend to include an FTP server with your newly configured server for the end customers be sure to have the following kernel modules loaded:

linux-server:~# modprobe ip_conntrack
linux-server:~# modprobe ip_conntrack_ftp

Next we have to add the proper iptables rules to properly manage incoming requests on port 21 to your firewall script file:

iptables -A INPUT -p tcp -s 0/0 --sport 1024:65535 -d 1.2.3.4 --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp -s 1.2.3.4 --sport 21 -d 0/0 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp -s 0/0 --sport 1024:65535 -d 1.2.3.4 --dport 1024:65535 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -p tcp -s 1.2.3.4 --sport 1024:65535 -d 0/0 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp -s 1.2.3.4 --sport 20 -d 0/0 --dport 1024:65535 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p tcp -s 0/0 --sport 1024:65535 -d 1.2.3.4 --dport 20 -m state --state ESTABLISHED -j ACCEPT

In the above firewall rules it’s necessery to change the 1.2.3.4 ip address with your FTP server public accessible ipv4 address.
In preparing this article I used as a basis iptables open FTP port 21 article which is a nice reading and sheds some good light on how to fix the FTP transfer issues discussed above.
That should be enough now reload your firewall rules flushing off the old firewall rules and loading the new ones and hopefully all should be done, your FTP transfers should start flowing fine.