Linux Passive FTP Not Working Problem And Solution

Q. I’m running GNU/Linux system with FTP server and passive ftp client requests are not working. What can I do to fix this problem under Linux iptables Firewall?

A. An ftp connection also needs a data transfer channel using active or passive session.

Make sure firewall is not blocking your FTP session. If ports are open make sure IPtables is allowing passive ftp. To solve this problem add ip_conntrack_ftp module. Type the following command to load this module:
# modprobe ip_conntrack_ftp

Iptables passive ftp rules

Same iptables firewall script to deal with incoming ftp requests including Active and Passive connections.

# Sample iptables shell script to deal with FTP server issues including
# active and passive FTP connections issues.
$IPT -t nat -F
$IPT -t nat -X
$IPT -t mangle -F
$IPT -t mangle -X
/sbin/modprobe ip_conntrack
/sbin/modprobe ip_conntrack_ftp
# Setting default filter policy
# Allow FTP connections @ port 21
$IPT -A INPUT  -p tcp --sport 21 -m state --state ESTABLISHED -j ACCEPT
$IPT -A OUTPUT -p tcp --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT
# Allow Active FTP Connections
$IPT -A INPUT -p tcp --sport 20 -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A OUTPUT -p tcp --dport 20 -m state --state ESTABLISHED -j ACCEPT 
# Allow Passive FTP Connections
$IPT -A INPUT -p tcp --sport 1024: --dport 1024:  -m state --state ESTABLISHED -j ACCEPT
$IPT -A OUTPUT -p tcp --sport 1024: --dport 1024:  -m state --state ESTABLISHED,RELATED -j ACCEPT 
### Add the rest of rules below ###
### log and drop everything else

🐧 Get the latest tutorials on Linux, Open Source & DevOps via RSS feed or Weekly email newsletter.

🐧 14 comments so far... add one

CategoryList of Unix and Linux commands
Disk space analyzersdf ncdu pydf
File Managementcat cp mkdir tree
FirewallAlpine Awall CentOS 8 OpenSUSE RHEL 8 Ubuntu 16.04 Ubuntu 18.04 Ubuntu 20.04
Network UtilitiesNetHogs dig host ip nmap
OpenVPNCentOS 7 CentOS 8 Debian 10 Debian 8/9 Ubuntu 18.04 Ubuntu 20.04
Package Managerapk apt
Processes Managementbg chroot cron disown fg jobs killall kill pidof pstree pwdx time
Searchinggrep whereis which
User Informationgroups id lastcomm last lid/libuser-lid logname members users whoami who w
WireGuard VPNAlpine CentOS 8 Debian 10 Firewall Ubuntu 20.04
14 comments… add one
  • Dalibor Straka Feb 3, 2009 @ 14:45

    At first glance I thought it is for client not for server ;-)

    This is very nice article except that my FW didn’t work right untill I added RELATED here:

    $IPT -A INPUT -p tcp –sport 1024: –dport 1024: -m state –state ESTABLISHED,RELATED -j ACCEPT

    I guess that nf_conntrack_ftp reads the port in payload for port 21 and then the new tcp packet from 12345 -> 54321 has SIN flag, thus is RELATED to the first connection, but in no way is established.

  • Bart Calixto Apr 1, 2009 @ 23:29

    Thanks!, looking for hours for a solution.
    My problem was fixed right after i typed : modprobe ip_conntrack_ftp

    What this means / do ?


  • arun kumar Jul 4, 2009 @ 8:13

    hp laserjet printer 1020 not working in linux at local network

  • kitt Aug 7, 2009 @ 0:29

    Why do you need this “$IPT -A OUTPUT -p tcp –dport 21 -m state –state NEW,ESTABLISHED -j ACCEPT” if you default accept outgoing packets “$IPT -P OUTPUT ACCEPT”

  • karatedog Nov 13, 2009 @ 17:25

    Your FTP line is clearly wrong, I don’t even know how it would work for anyone.
    First: you are accepting INPUT connection on the SOURCE port 21:
    $IPT -A INPUT -p tcp –sport 21 -m state –state ESTABLISHED -j ACCEPT

    I would like to see an ftp client that tries to reach your server FROM the port 21. Of course it should be the DESTINATION port that is 21 (so change –sport to –dport).
    A simple ftp connection to a server throws error (when applying your rule): IN=eth0 OUT= MAC=00:xx:xx:xx:f2:e0:00:1f:9e:aa:39:00:08:00 LEN=52 TOS=0x00 PREC=0x00 TTL=122 ID=11054 DF PROTO=TCP SPT=23083 DPT=21 WINDOW=65535 RES=0x00 SYN URGP=0
    You can clearly see, that the client tries to knock on port 21, and that is DPT.

    Second: even if we change –sport & –dport as they should be, you are allowing only ESTABLISHED connection from the INPUT. This means that you are not accepting NEW connection. Which means no FTP at all.
    So correcting the rules for the Active FTP:
    iptables -A INPUT -p tcp –dport 21 -m state –state NEW,ESTABLISHED -j ACCEPT
    iptables -A OUTPUT -p tcp –sport 21 -m state –state ESTABLISHED -j ACCEPT

    • sam Apr 28, 2015 @ 13:34

      Thanks! This guy is talking sense. The rules above and found in many other places weren’t working for me. The addition of the NEW on the input rule solved it for me.

  • Antonio Díaz M. Dec 23, 2009 @ 17:06

    but you are opening ports that allow connections to other applications such as P2P, MSN Messenger, etc…

  • Victor Henriquez Sep 23, 2010 @ 23:03

    Excellent Post…My FTP Works great, thanks….

  • Nishi Mar 6, 2011 @ 23:34

    FTP might work great, but what about that rule that says block all else incoming?? I’m now locked out of the server….

    • lol Oct 10, 2012 @ 15:05

      now you know not to copy and paste haha

  • Nitin Jul 5, 2011 @ 5:06

    Worked fine. Thanks.

  • Ryan Griggs Aug 23, 2011 @ 19:56

    In addition to the firewall rules, on CentOS I had to edit /etc/sysconfig/iptables-config to tell it to load the correct modules.

    Add the following to the IPTABLES_MODULES line:
    “ip_conntrack_netbios_ns ip_conntrack ip_conntrack_ftp”

    So your IPTABLES_MODULES line should read:
    IPTABLES_MODULES=”ip_conntrack_netbios_ns ip_conntrack ip_conntrack_ftp”

    Restart IPTABLES (‘service iptables restart’) and you should see it load the conntrack modules.

    All is good!


  • Patrice Dec 11, 2011 @ 18:47

    Why to open the port 1024??? Passive connection use port 21 and then a port from 1024 to 65545…

    • Pritchie Aug 1, 2013 @ 15:27

      “1024:” note the colon after the 1024. This means from port 1024 upwards

Leave a Reply

Your email address will not be published.

Use HTML <pre>...</pre> for code samples. Still have questions? Post it on our forum