0

I tried the following rules to allow FTP:

# The following two rules allow the inbound FTP connection
iptables -A INPUT -p tcp --sport 21 -m state --state ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT

# The next 2 lines allow active ftp connections
iptables -A INPUT -p tcp --sport 20 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -p tcp --dport 20 -m state --state ESTABLISHED -j ACCEPT

# These last two rules allow for passive transfers
iptables -A INPUT -p tcp --sport 1024: --dport 1024: -m state --state ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp --sport 1024: --dport 1024: -m state --state ESTABLISHED,RELATED -j ACCEPT

Despite the fact, that I allowed passive ftp connections, when I try to connect to a server, the ftp client hangs with word: "Entering passive mode".

After I allowed all the outbound connections:

iptables -P OUTPUT ACCEPT

it started to work.

What is wrong?

user4035
  • 1,065
  • 2
  • 14
  • 35
  • **hint:** `tcpdump` Take a look at what ports are being used in passive connections. – SailorCire May 19 '15 at 16:55
  • @Christopher The answer in your question uses exactly the code I use. It was accepted. I'll take a closer look, maybe, something was wrong. – user4035 May 19 '15 at 17:58

1 Answers1

0

In passive mode, your only know one of the ports you will be using. After the connection is made, the server then tells the client what other port to use and the client then has to open this second port. I believe your rule for 1024 would only work if you know for a fact your server will only tell the client to use 1024.

Put more precisely: http://slacksite.com/other/ftp.html

In passive mode FTP the client initiates both connections to the server, solving the problem of firewalls filtering the incoming data port connection to the client from the server. When opening an FTP connection, the client opens two random unprivileged ports locally (N > 1023 and N+1). The first port contacts the server on port 21, but instead of then issuing a PORT command and allowing the server to connect back to its data port, the client will issue the PASV command. The result of this is that the server then opens a random unprivileged port (P > 1023) and sends P back to the client in response to the PASV command. The client then initiates the connection from port N+1 to port P on the server to transfer data.

don_crissti
  • 79,330
  • 30
  • 216
  • 245
Baazigar
  • 732
  • 3
  • 9