How do I open port 21 using Linux iptables firewall?
Use iptables administration tool for IPv4 packet filtering and NAT under Linux to open tcp port 21 (FTP). Following rule-set assumes that your eth0 network interface is directly connected to the Internet. It has public ip (202.54.1.20). FTP use both port 21 and 20 (port 21 for the command port and port 20 for the data). So following iptables rules take care of both ports (add rules to your iptables based shell script):
Procedure
Add support for FTP connection tracking.
Task load required iptables modules
First login as the root user.
Next type the following command to load two iptables modules:
# modprobe ip_conntrack
# modprobe ip_conntrack_ftp
Now add following iptables rules for incoming request on port 21 (open port 21) to your script:
iptables -A INPUT -p tcp -s 0/0 --sport 1024:65535 -d 202.54.1.20 --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A OUTPUT -p tcp -s 202.54.1.20 --sport 21 -d 0/0 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
AND:
iptables -A INPUT -p tcp -s 0/0 --sport 1024:65535 -d 202.54.1.20 --dport 1024:65535 -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A OUTPUT -p tcp -s 202.54.1.20 --sport 1024:65535 -d 0/0 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
AND:
iptables -A OUTPUT -p tcp -s 202.54.1.20 --sport 20 -d 0/0 --dport 1024:65535 -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A INPUT -p tcp -s 0/0 --sport 1024:65535 -d 202.54.1.20 --dport 20 -m state --state ESTABLISHED -j ACCEPT
You should follow me on twitter here or grab rss feed to keep track of new changes.
Featured Articles:
- 30 Handy Bash Shell Aliases For Linux / Unix / Mac OS X
- Top 30 Nmap Command Examples For Sys/Network Admins
- 25 PHP Security Best Practices For Sys Admins
- 20 Linux System Monitoring Tools Every SysAdmin Should Know
- 20 Linux Server Hardening Security Tips
- Linux: 20 Iptables Examples For New SysAdmins
- Top 20 OpenSSH Server Best Security Practices
- Top 20 Nginx WebServer Best Security Practices
- 20 Examples: Make Sure Unix / Linux Configuration Files Are Free From Syntax Errors
- 15 Greatest Open Source Terminal Applications Of 2012
- My 10 UNIX Command Line Mistakes
- Top 10 Open Source Web-Based Project Management Software
- Top 5 Email Client For Linux, Mac OS X, and Windows Users
- The Novice Guide To Buying A Linux Laptop
{ 10 comments… read them below or add one }
How i will establish iptables on my linux server also i want to establish iptables againest on MAC and IPTABLES.please give me solution very son.I am not interested to give all service of all user.At that time what i will do?
what if the ftp server is inside the network..what would be the iptable rule(s) that should be added to forward the port 20 and 21 request from the gateway machine to the ftp server whose ip address is 192.168.x.xx?can u post the right ip table rule to do that because i am really having a hard time setting up my ftp server to run.:(
How do I open my FTP port 21 on my computer? What would close this and why?
Amanda
What is going to happen if I am not using this “Iptables open ftp port 21″?
I have my dlink router setup with forward port 21 and seems it works fine?
For Ubuntu server Sudo needs to be added to the front of these iptable and conn commands
Why are there so many rules?
I simply added an input rule for port 21 and 20
$IPTABLES -A INPUT -p tcp –dport 21 -j ACCEPT
$IPTABLES -A INPUT -p tcp –dport 20 -j ACCEPT
Much better than 6 lines ? No ?
@Alan Mcmillan
Yes seems effective. Got rid of ‘connection refused’ error I was getting but now connection is timing out. I am using an Archos PMA430 (Qtopia variant hacked w/ Open PMA) as server and an XP pro box running the Filezilla client. I’ve turned of timeout on the windows end so I’m guessing the Archos is causing the timeout. Is there a command to turn this off at the Linux end? Will post results if successful.
The two lines you have given will work fine but the firewall will not keep track of the connection states.
I think the author was trying to demonstrate the method for creating statefull rules for FTP, which has generally caused a few headaches given the way the FTP protocol is implemented.
Many thanks for tip!
Why it has to be so hard?
notice: it did not work.
that’s why I use windows anytime I can…
IPTABLES is not for normal users. Every distro has a different way to deal with it. For me iptables is part of some Lovecraftian Mythos