How to enable passive ftp in iptables

If you use DROP policy on INPUT chain, you’ll have issues with passive ftp. To solve this apply these rules for iptables to allow passive ftp in iptables.

To avoid lockout in case the script fails at some point, add a ‘at’ job to remove DROP policy on INPUT chain. Even if you’re very confident that you’re doing everything right, don’t forget about this. There was a lot of times when I was locked out because of some failed paste into the file or left the typo somewhere. So this will let you to get the connection back after some time if you failed at some point.

Create a at job like 5 or 10 minutes later to run this:

root@localhost# date
Fri Jul 11 16:01:12 CEST 2014

root@localhost# at 16:06
warning: commands will be executed using /bin/sh
at> /sbin/iptables -P INPUT ACCEPT
# hit ctrl+d to exit at prompt and save the job
at> <EOT>
job 9 at Fri Jul 11 16:06:00 2014

root@localhost# date

Fri Jul 11 16:01:12 CEST 2014

root@localhost# at 16:06

warning: commands will be executed using /bin/sh

at> /sbin/iptables -P INPUT ACCEPT

# hit ctrl+d to exit at prompt and save the job

at> <EOT>

job 9 at Fri Jul 11 16:06:00 2014

First we have to enable iptables modules:

root@localhost# modprobe ip_conntrack
root@localhost# modprobe ip_conntrack_ftp

1 2	root@localhost# modprobe ip_conntrack root@localhost# modprobe ip_conntrack_ftp

Create some empty .sh file with this content:

IPT=/sbin/iptables
$IPT -F
$IPT -X
$IPT -t nat -F
$IPT -t nat -X
$IPT -t mangle -F
$IPT -t mangle -X
$IPT -P INPUT DROP
$IPT -P OUTPUT ACCEPT
$IPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
$IPT -A INPUT -p icmp -j ACCEPT
$IPT -A INPUT -i lo -j ACCEPT
$IPT -A INPUT -p tcp --sport 21 -m state --state ESTABLISHED -j ACCEPT
$IPT -A OUTPUT -p tcp --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT
$IPT -A INPUT -p tcp --sport 20 -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A OUTPUT -p tcp --dport 20 -m state --state ESTABLISHED -j ACCEPT
$IPT -A INPUT -p tcp --sport 1024: --dport 1024: -m state --state ESTABLISHED -j ACCEPT
$IPT -A OUTPUT -p tcp --sport 1024: --dport 1024: -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT

IPT=/sbin/iptables

$IPT -F

$IPT -X

$IPT -t nat -F

$IPT -t nat -X

$IPT -t mangle -F

$IPT -t mangle -X

$IPT -P INPUT DROP

$IPT -P OUTPUT ACCEPT

$IPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

$IPT -A INPUT -p icmp -j ACCEPT

$IPT -A INPUT -i lo -j ACCEPT

$IPT -A INPUT -p tcp --sport 21 -m state --state ESTABLISHED -j ACCEPT

$IPT -A OUTPUT -p tcp --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT

$IPT -A INPUT -p tcp --sport 20 -m state --state ESTABLISHED,RELATED -j ACCEPT

$IPT -A OUTPUT -p tcp --dport 20 -m state --state ESTABLISHED -j ACCEPT

$IPT -A INPUT -p tcp --sport 1024: --dport 1024: -m state --state ESTABLISHED -j ACCEPT

$IPT -A OUTPUT -p tcp --sport 1024: --dport 1024: -m state --state ESTABLISHED,RELATED -j ACCEPT

$IPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT

Make it executable and run:

chmod +x script.sh
./script.sh

1 2	chmod +x script.sh ./script.sh

If everything went fine and you weren’t locked out, you can delete at job:

at -d 9

at -d 9

Now passive ftp should work for you!

How to enable passive ftp in iptables

Leave a Reply Cancel reply

Post Navigation