Iptables Open FTP Port 21 and 20

by on April 13, 2006 · 13 comments· LAST UPDATED December 13, 2009

in , ,

How do I open port 21 using Linux iptables firewall?

Use iptables administration tool for IPv4 packet filtering and NAT under Linux to open tcp port 21 (FTP). Following rule-set assumes that your eth0 network interface is directly connected to the Internet. It has public ip (202.54.1.20). FTP use both port 21 and 20 (port 21 for the command port and port 20 for the data). So following iptables rules take care of both ports (add rules to your iptables based shell script):

Procedure

Add support for FTP connection tracking.

Task load required iptables modules

First login as the root user.

Next type the following command to load two iptables modules:
# modprobe ip_conntrack
# modprobe ip_conntrack_ftp

Now add following iptables rules for incoming request on port 21 (open port 21) to your script:

iptables -A INPUT -p tcp -s 0/0 --sport 1024:65535 -d 202.54.1.20 --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp -s 202.54.1.20 --sport 21 -d 0/0 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT

AND:

iptables -A INPUT -p tcp -s 0/0 --sport 1024:65535 -d 202.54.1.20 --dport 1024:65535 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -p tcp -s 202.54.1.20 --sport 1024:65535 -d 0/0 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
 

AND:

iptables -A OUTPUT -p tcp -s 202.54.1.20 --sport 20 -d 0/0 --dport 1024:65535 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p tcp -s 0/0 --sport 1024:65535 -d 202.54.1.20 --dport 20 -m state --state ESTABLISHED -j ACCEPT
TwitterFacebookGoogle+PDF versionFound an error/typo on this page? Help us!

{ 13 comments… read them below or add one }

1 sahid December 7, 2006 at 1:20 am

How i will establish iptables on my linux server also i want to establish iptables againest on MAC and IPTABLES.please give me solution very son.I am not interested to give all service of all user.At that time what i will do?

Reply

2 joel March 26, 2007 at 8:39 am

what if the ftp server is inside the network..what would be the iptable rule(s) that should be added to forward the port 20 and 21 request from the gateway machine to the ftp server whose ip address is 192.168.x.xx?can u post the right ip table rule to do that because i am really having a hard time setting up my ftp server to run.:(

Reply

3 Amanda February 27, 2008 at 8:56 pm

How do I open my FTP port 21 on my computer? What would close this and why?
Amanda

Reply

4 frank February 11, 2009 at 5:13 am

What is going to happen if I am not using this “Iptables open ftp port 21″?
I have my dlink router setup with forward port 21 and seems it works fine?

Reply

5 jx October 27, 2009 at 6:57 pm

For Ubuntu server Sudo needs to be added to the front of these iptable and conn commands

Reply

6 Alan McMillian February 21, 2011 at 10:27 am

Why are there so many rules?

I simply added an input rule for port 21 and 20

$IPTABLES -A INPUT -p tcp –dport 21 -j ACCEPT
$IPTABLES -A INPUT -p tcp –dport 20 -j ACCEPT

Much better than 6 lines ? No ?

Reply

7 Darryl Williams February 27, 2011 at 3:32 pm

@Alan Mcmillan

Yes seems effective. Got rid of ‘connection refused’ error I was getting but now connection is timing out. I am using an Archos PMA430 (Qtopia variant hacked w/ Open PMA) as server and an XP pro box running the Filezilla client. I’ve turned of timeout on the windows end so I’m guessing the Archos is causing the timeout. Is there a command to turn this off at the Linux end? Will post results if successful.

Reply

8 Josh May 31, 2011 at 4:36 pm

I have some issues to set up the iptables…

FTP server ip address
172:16:21:100 using custom port 50505
FTP with SSL/TLS (Explicit)

##FTP
iptables -t nat -A PREROUTING -i eth2 -p tcp -m tcp –dport 50505 -j DNAT –to 172.16.21.100:50505

Note: eth2 is my wan interface

On my LAN I can access to FTP server.

Status: Connecting to 172.16.21.100:50505…
Status: Connection established, waiting for welcome message…
Response: (ProFTPD) [172.16.21.100]
Command: AUTH TLS
Response: 234 AUTH TLS successful
Status: Initializing TLS…
Status: Verifying certificate…
Command: USER xxxxxx
Status: TLS/SSL connection established.
Response: 331 Password required for xxxxx
Command: PASS ************
Response: 230 User xxxxx logged in
Command: SYST
Response: 215 UNIX Type: L8
Command: FEAT
Response: 211-Features:
Response: MDTM
Response: MFMT
Response: UTF8
Response: AUTH TLS
Response: MFF modify;UNIX.group;UNIX.mode;
Response: MLST modify*;perm*;size*;type*;unique*;UNIX.group*;UNIX.mode*;UNIX.owner*;
Response: LANG en-US*
Response: PBSZ
Response: PROT
Response: REST STREAM
Response: SIZE
Response: 211 End
Command: OPTS UTF8 ON
Response: 200 UTF8 set to on
Command: PBSZ 0
Response: 200 PBSZ 0 successful
Command: PROT P
Response: 200 Protection set to Private
Status: Connected
Status: Retrieving directory listing…
Command: PWD
Response: 257 “/” is the current directory
Command: TYPE I
Response: 200 Type set to I
Command: PASV
Response: 227 Entering Passive Mode (172,16,21,100,219,140).
Command: MLSD
Response: 150 Opening ASCII mode data connection for MLSD
Response: 226 Transfer complete
Status: Directory listing successful

Trying from outside I get this…

Response: 234 AUTH TLS successful
Status: Initializing TLS…
Status: Verifying certificate…
Status: TLS/SSL connection established.
Status: Connected
Status: Retrieving directory listing…
Command: PWD
Response: 257 “/” is the current directory
Command: TYPE I
Response: 200 Type set to I
Command: PASV
Response: 227 Entering Passive Mode (172,16,21,100,219,126).
Status: Server sent passive reply with unroutable address. Using server address instead.
Command: MLSD
Error: GnuTLS error -53: Error in the push function.
Error: Connection timed out
Error: Failed to retrieve directory listing

Any idea ?

I’m using Filezilla.

Thanx for any help :)

Reply

9 Nick July 19, 2011 at 1:01 am

The two lines you have given will work fine but the firewall will not keep track of the connection states.

I think the author was trying to demonstrate the method for creating statefull rules for FTP, which has generally caused a few headaches given the way the FTP protocol is implemented.

Reply

10 ncq June 6, 2013 at 6:09 am

I’m sorry because English is not my native language. I have to use google translate to write my comment.
I guess these rules support both FTP active mode and FTP passive mode.

The author uses:
iptables -A INPUT -p tcp -s 0/0 –sport 1024:65535 -d 202.54.1.20 –dport 1024:65535 -m state –state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -p tcp -s 202.54.1.20 –sport 1024:65535 -d 0/0 –dport 1024:65535 -m state –state ESTABLISHED -j ACCEPT

to accept the data connection from client to server.
And
iptables -A OUTPUT -p tcp -s 202.54.1.20 –sport 20 -d 0/0 –dport 1024:65535 -m state –state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p tcp -s 0/0 –sport 1024:65535 -d 202.54.1.20 –dport 20 -m state –state ESTABLISHED -j ACCEPT
to accept the data connection from server to client.

Am I correct in thinking?

Reply

11 cuonghv April 5, 2013 at 9:01 pm

Many thanks for tip!

Reply

12 Alex April 24, 2013 at 7:34 pm

Why it has to be so hard?
notice: it did not work.
that’s why I use windows anytime I can…
IPTABLES is not for normal users. Every distro has a different way to deal with it. For me iptables is part of some Lovecraftian Mythos

Reply

13 Paul Zapodeanu September 12, 2013 at 1:25 pm

Hi,

I get what you are trying to do, and I know how ftp works with it’s data and control connection but for me it was much simpler.

I added support for the ftp connection tracking(with the modprobe commands) then I added a rule for the ftp control connection(port 21) and it just worked. Admittedly I had a general rule allowing RELATED and ESTABLISHED connections but I didn’t have to do anything extra for the FTP data connection.

Now let’s see if I can make it work with destination NAT (aka port forwarding).

Reply

Leave a Comment

Tagged as: , , , , , , , , , , , , , , , ,

Previous Faq:

Next Faq: