Power up with new SaaS Add-Ons from the DigitalOcean Marketplace

Question

Setup Iptables for FTP Passive connections Ubuntu?

  • Posted September 15, 2013

Hi I have setup the iptables using the guide https://www.digitalocean.com/community/articles/how-to-set-up-a-firewall-using-ip-tables-on-ubuntu-12-04 and it works great. Now I need to also configure the iptables to allow FTP to use Passive Mode. I have read that you need to run command #modprobe ip_conntrack_ftp and modprobe ip_conntrack and these 2 are loaded.

The current iptable looks like this.

iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT iptables -A INPUT -p tcp --dport ssh -j ACCEPT iptables -A INPUT -p tcp --dport 80 -j ACCEPT iptables -A INPUT -p tcp --dport 21 -j ACCEPT iptables -A INPUT -p tcp --dport 25 -j ACCEPT iptables -A INPUT -p tcp --dport 443 -j ACCEPT iptables -A INPUT -p tcp --dport 2812 -j ACCEPT iptables -A INPUT -p tcp --dport 10000 -j ACCEPT iptables -A INPUT -j DROP

Any idea how to allow Passive FTP sessions in Iptables?

Many thanks Mike

Subscribe
Share
Submit an answer
You can type!ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

Kamal NasserDecember 17, 2013

@bogdan747: It will delete the rule and the second command will set INPUT’s default policy to DROP. Basically moves the DROP-by-default config out of the way, but it’s still there :]

bogdan747December 17, 2013

Isn’t the -D to Delete the Rule and -A to Add the rules? <br>Mike’s file (list of rules) is used in Ubuntu by the script iptables-apply, iptables-save and iptables-reload to add the rulles. <br> <br>So your last line “iptables -D INPUT -j DROP” will delete / remove the DROP rule from the Chain? <br>So by adding that rule anyone can to get into his systems? <br>that’s is just silly to say the least… <br>bogdan

nightflashSeptember 17, 2013

Use this line: <br> <br>modprobe ip_conntrack_ftp

Kamal NasserSeptember 16, 2013

You shouldn’t have to reboot your droplet for the new rules to take effect.

Mike OlsonSeptember 15, 2013

Thanks Kamal, I will try this. Do I need to reboot the machine also?

Kamal NasserSeptember 15, 2013

Try adding these rules: <br> <br><pre>iptables -A INPUT -p tcp --sport 1024: --dport 1024: -m state --state ESTABLISHED -j ACCEPT <br>iptables -A OUTPUT -p tcp --sport 1024: --dport 1024: -m state --state ESTABLISHED,RELATED -j ACCEPT</pre> <br> <br>Also I recommend deleting the <code>-A INPUT -j DROP</code> rule and setting INPUT’s default policy to DROP: <br> <br><pre>iptables -D INPUT -j DROP <br>iptables -P INPUT DROP</pre>