Setup Iptables for FTP Passive connections Ubuntu?

September 15, 2013 18.7k views
kreativbureau
By:
kreativbureau
Hi I have setup the iptables using the guide https://www.digitalocean.com/community/articles/how-to-set-up-a-firewall-using-ip-tables-on-ubuntu-12-04 and it works great. Now I need to also configure the iptables to allow FTP to use Passive Mode. I have read that you need to run command #modprobe ip_conntrack_ftp and modprobe ip_conntrack and these 2 are loaded. The current iptable looks like this. iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT iptables -A INPUT -p tcp --dport ssh -j ACCEPT iptables -A INPUT -p tcp --dport 80 -j ACCEPT iptables -A INPUT -p tcp --dport 21 -j ACCEPT iptables -A INPUT -p tcp --dport 25 -j ACCEPT iptables -A INPUT -p tcp --dport 443 -j ACCEPT iptables -A INPUT -p tcp --dport 2812 -j ACCEPT iptables -A INPUT -p tcp --dport 10000 -j ACCEPT iptables -A INPUT -j DROP Any idea how to allow Passive FTP sessions in Iptables? Many thanks Mike
Log In to Comment
6 Answers
kamaln7 MOD September 15, 2013
Try adding these rules: 

iptables -A INPUT -p tcp --sport 1024: --dport 1024:  -m state --state ESTABLISHED -j ACCEPT

iptables -A OUTPUT -p tcp --sport 1024: --dport 1024:  -m state --state ESTABLISHED,RELATED -j ACCEPT


Also I recommend deleting the -A INPUT -j DROP rule and setting INPUT's default policy to DROP: 

iptables -D INPUT -j DROP

iptables -P INPUT DROP
Reply
kreativbureau September 15, 2013
Thanks Kamal, I will try this. Do I need to reboot the machine also?
Reply
kamaln7 MOD September 16, 2013
You shouldn't have to reboot your droplet for the new rules to take effect.
Reply
nightflash September 17, 2013
Use this line:

modprobe ip_conntrack_ftp
Reply
bogdan747 December 17, 2013
Isn't the -D to Delete the Rule and -A to Add the rules?
Mike's file (list of rules) is used in Ubuntu by the script iptables-apply, iptables-save and iptables-reload to add the rulles.

So your last line "iptables -D INPUT -j DROP" will delete / remove the DROP rule from the Chain?
So by adding that rule anyone can to get into his systems?
that's is just silly to say the least....
bogdan
Reply
kamaln7 MOD December 17, 2013
@bogdan747: It will delete the rule and the second command will set INPUT's default policy to DROP. Basically moves the DROP-by-default config out of the way, but it's still there :]
Reply
Have another answer? Share your knowledge.