Question

Setup Iptables for FTP Passive connections Ubuntu?

Hi I have setup the iptables using the guide https://www.digitalocean.com/community/articles/how-to-set-up-a-firewall-using-ip-tables-on-ubuntu-12-04 and it works great. Now I need to also configure the iptables to allow FTP to use Passive Mode. I have read that you need to run command #modprobe ip_conntrack_ftp and modprobe ip_conntrack and these 2 are loaded.

The current iptable looks like this.

iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT iptables -A INPUT -p tcp --dport ssh -j ACCEPT iptables -A INPUT -p tcp --dport 80 -j ACCEPT iptables -A INPUT -p tcp --dport 21 -j ACCEPT iptables -A INPUT -p tcp --dport 25 -j ACCEPT iptables -A INPUT -p tcp --dport 443 -j ACCEPT iptables -A INPUT -p tcp --dport 2812 -j ACCEPT iptables -A INPUT -p tcp --dport 10000 -j ACCEPT iptables -A INPUT -j DROP

Any idea how to allow Passive FTP sessions in Iptables?

Many thanks Mike


Submit an answer

This textbox defaults to using Markdown to format your answer.

You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!

Sign In or Sign Up to Answer

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

Want to learn more? Join the DigitalOcean Community!

Join our DigitalOcean community of over a million developers for free! Get help and share knowledge in Q&A, subscribe to topics of interest, and get courses and tools that will help you grow as a developer and scale your project or business.

@bogdan747: It will delete the rule and the second command will set INPUT’s default policy to DROP. Basically moves the DROP-by-default config out of the way, but it’s still there :]

Isn’t the -D to Delete the Rule and -A to Add the rules? <br>Mike’s file (list of rules) is used in Ubuntu by the script iptables-apply, iptables-save and iptables-reload to add the rulles. <br> <br>So your last line “iptables -D INPUT -j DROP” will delete / remove the DROP rule from the Chain? <br>So by adding that rule anyone can to get into his systems? <br>that’s is just silly to say the least… <br>bogdan

Use this line: <br> <br>modprobe ip_conntrack_ftp