Q. I'm running GNU/Linux system with FTP server and passive ftp client requests are not working. What can I do to fix this problem under Linux iptables Firewall?
A. An ftp connection also needs a data transfer channel using active or passive session.
Make sure firewall is not blocking your FTP session. If ports are open make sure IPtables is allowing passive ftp. To solve this problem add ip_conntrack_ftp module. Type the following command to load this module:
# modprobe ip_conntrack_ftp
Iptables passive ftp rules
Same iptables firewall script to deal with incoming ftp requests including Active and Passive connections.
#!/bin/bash # Sample iptables shell script to deal with FTP server issues including # active and passive FTP connections issues. IPT=/sbin/iptables $IPT -F $IPT -X $IPT -t nat -F $IPT -t nat -X $IPT -t mangle -F $IPT -t mangle -X /sbin/modprobe ip_conntrack /sbin/modprobe ip_conntrack_ftp # Setting default filter policy $IPT -P INPUT DROP $IPT -P OUTPUT ACCEPT # Allow FTP connections @ port 21 $IPT -A INPUT -p tcp --sport 21 -m state --state ESTABLISHED -j ACCEPT $IPT -A OUTPUT -p tcp --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT # Allow Active FTP Connections $IPT -A INPUT -p tcp --sport 20 -m state --state ESTABLISHED,RELATED -j ACCEPT $IPT -A OUTPUT -p tcp --dport 20 -m state --state ESTABLISHED -j ACCEPT # Allow Passive FTP Connections $IPT -A INPUT -p tcp --sport 1024: --dport 1024: -m state --state ESTABLISHED -j ACCEPT $IPT -A OUTPUT -p tcp --sport 1024: --dport 1024: -m state --state ESTABLISHED,RELATED -j ACCEPT ### Add the rest of rules below ### ### log and drop everything else $IPT -A INPUT -j LOG $IPT -A FORWARD -j LOG $IPT -A INPUT -j DROP
You should follow me on twitter here or grab rss feed to keep track of new changes.
Featured Articles:
- 30 Handy Bash Shell Aliases For Linux / Unix / Mac OS X
- Top 30 Nmap Command Examples For Sys/Network Admins
- 25 PHP Security Best Practices For Sys Admins
- 20 Linux System Monitoring Tools Every SysAdmin Should Know
- 20 Linux Server Hardening Security Tips
- Linux: 20 Iptables Examples For New SysAdmins
- Top 20 OpenSSH Server Best Security Practices
- Top 20 Nginx WebServer Best Security Practices
- 20 Examples: Make Sure Unix / Linux Configuration Files Are Free From Syntax Errors
- 15 Greatest Open Source Terminal Applications Of 2012

- My 10 UNIX Command Line Mistakes
- Top 10 Open Source Web-Based Project Management Software
- Top 5 Email Client For Linux, Mac OS X, and Windows Users
- The Novice Guide To Buying A Linux Laptop














{ 11 comments… read them below or add one }
At first glance I thought it is for client not for server ;-)
This is very nice article except that my FW didn’t work right untill I added RELATED here:
$IPT -A INPUT -p tcp –sport 1024: –dport 1024: -m state –state ESTABLISHED,RELATED -j ACCEPT
I guess that nf_conntrack_ftp reads the port in payload for port 21 and then the new tcp packet from 12345 -> 54321 has SIN flag, thus is RELATED to the first connection, but in no way is established.
Thanks!, looking for hours for a solution.
My problem was fixed right after i typed : modprobe ip_conntrack_ftp
What this means / do ?
Greetings,
Bart.
hp laserjet printer 1020 not working in linux at local network
Why do you need this “$IPT -A OUTPUT -p tcp –dport 21 -m state –state NEW,ESTABLISHED -j ACCEPT” if you default accept outgoing packets “$IPT -P OUTPUT ACCEPT”
but you are opening ports that allow connections to other applications such as P2P, MSN Messenger, etc…
Excellent Post…My FTP Works great, thanks….
FTP might work great, but what about that rule that says block all else incoming?? I’m now locked out of the server….
now you know not to copy and paste haha
Worked fine. Thanks.
In addition to the firewall rules, on CentOS I had to edit /etc/sysconfig/iptables-config to tell it to load the correct modules.
Add the following to the IPTABLES_MODULES line:
“ip_conntrack_netbios_ns ip_conntrack ip_conntrack_ftp”
So your IPTABLES_MODULES line should read:
IPTABLES_MODULES=”ip_conntrack_netbios_ns ip_conntrack ip_conntrack_ftp”
Restart IPTABLES (‘service iptables restart’) and you should see it load the conntrack modules.
All is good!
Ryan
Why to open the port 1024??? Passive connection use port 21 and then a port from 1024 to 65545…