Question

Setup Iptables for FTP Passive connections Ubuntu?

Posted September 15, 2013 21k views
Hi I have setup the iptables using the guide https://www.digitalocean.com/community/articles/how-to-set-up-a-firewall-using-ip-tables-on-ubuntu-12-04 and it works great. Now I need to also configure the iptables to allow FTP to use Passive Mode. I have read that you need to run command #modprobe ip_conntrack_ftp and modprobe ip_conntrack and these 2 are loaded. The current iptable looks like this. iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT iptables -A INPUT -p tcp --dport ssh -j ACCEPT iptables -A INPUT -p tcp --dport 80 -j ACCEPT iptables -A INPUT -p tcp --dport 21 -j ACCEPT iptables -A INPUT -p tcp --dport 25 -j ACCEPT iptables -A INPUT -p tcp --dport 443 -j ACCEPT iptables -A INPUT -p tcp --dport 2812 -j ACCEPT iptables -A INPUT -p tcp --dport 10000 -j ACCEPT iptables -A INPUT -j DROP Any idea how to allow Passive FTP sessions in Iptables? Many thanks Mike
Add a comment
kreativbureau
By:
kreativbureau

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

×
6 answers
kamaln7 September 15, 2013
Try adding these rules: 

iptables -A INPUT -p tcp --sport 1024: --dport 1024:  -m state --state ESTABLISHED -j ACCEPT

iptables -A OUTPUT -p tcp --sport 1024: --dport 1024:  -m state --state ESTABLISHED,RELATED -j ACCEPT


Also I recommend deleting the -A INPUT -j DROP rule and setting INPUT's default policy to DROP: 

iptables -D INPUT -j DROP

iptables -P INPUT DROP
Reply Report
kreativbureau September 15, 2013
Thanks Kamal, I will try this. Do I need to reboot the machine also?
Reply Report
kamaln7 September 16, 2013
You shouldn't have to reboot your droplet for the new rules to take effect.
Reply Report
nightflash September 17, 2013
Use this line:

modprobe ip_conntrack_ftp
Reply Report
bogdan747 December 17, 2013
Isn't the -D to Delete the Rule and -A to Add the rules?
Mike's file (list of rules) is used in Ubuntu by the script iptables-apply, iptables-save and iptables-reload to add the rulles.

So your last line "iptables -D INPUT -j DROP" will delete / remove the DROP rule from the Chain?
So by adding that rule anyone can to get into his systems?
that's is just silly to say the least....
bogdan
Reply Report
kamaln7 December 17, 2013
@bogdan747: It will delete the rule and the second command will set INPUT's default policy to DROP. Basically moves the DROP-by-default config out of the way, but it's still there :]
Reply Report
Submit an Answer

Looking for something else?

Ask a new question Search for more help