27

My current scenario involves allowing various rules, but I need ftp to be accessible from anywhere. The OS is Cent 5 and I am using VSFTPD. I can't seem to get the syntax correct. All other rules work correctly.

## Filter all previous rules
*filter

## Loopback address
-A INPUT -i lo -j ACCEPT

## Established inbound rule
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

## Management ports
-A INPUT -s x.x.x.x/24 -p icmp -m icmp --icmp-type any -j ACCEPT
-A INPUT -s x.x.x.x/23 -p icmp -m icmp --icmp-type any -j ACCEPT
-A INPUT -s x.x.x.x/24 -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -s x.x.x.x/23 -p icmp -m icmp --icmp-type any -j ACCEPT
-A INPUT -s x.x.x.x/23 -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -i lo -j ACCEPT

## Allow NRPE port (Nagios)
-A INPUT -s x.x.x.x -p tcp -m state --state NEW -m tcp --dport 5666 -j ACCEPT
-A INPUT -s x.x.x.x -p tcp -m state --state NEW -m tcp --dport 5666 -j ACCEPT

##Allow FTP

## Default rules
:INPUT DROP [0:0]
:FORWARD DROP
:OUTPUT ACCEPT [0:0]
COMMIT

The following are rules I have tried.

##Allow FTP
-A INPUT --dport 21 any -j ACCEPT
-A INPUT --dport 20 any -j ACCEPT

-A INPUT -p tcp --dport 21 -j ACCEPT
-A INPUT -p tcp --dport 20 -j ACCEPT

-A INPUT -p tcp -m state --state NEW -m tcp --dport 21 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 20 -j ACCEPT


-A INPUT -p tcp -s 0/0 -d 0/0 --destination-port 20 -j ACCEPT
-A INPUT -p tcp -s 0/0 -d 0/0 --destination-port 21 -j ACCEPT

-A INPUT -s 0.0.0.0/0 -p tcp -m state --state NEW -m tcp --dport 21 -j ACCEPT
-A INPUT -s 0.0.0.0/0 -p tcp -m state --state NEW -m tcp --dport 20 -j ACCEPT
Avery Payne
  • 14,326
  • 1
  • 48
  • 87
IOTAMAN
  • 665
  • 2
  • 8
  • 13

3 Answers3

42

Here's the document I refer people to so that they can following the FTP protocol: http://slacksite.com/other/ftp.html

  • To do active-mode FTP, you need to allow incoming connections to TCP port 21 and outgoing connections from port 20.
  • To do passive-mode FTP, you need to allow incoming connections to TCP port 21 and incoming connections to a randomly-generated port on the server computer (necessitating using a conntrack module in netfilter)

You don't have anything re: your OUTPUT chain in your post, so I'll include that here, too. If your OUTPUT chain is default-drop then this matters.

Add these rules to your iptables configuration:

iptables -A INPUT -p tcp --dport 21 -j ACCEPT
iptables -A OUTPUT -p tcp --sport 20 -j ACCEPT

To support passive mode FTP, then, you need to load the ip_conntrack_ftp module on boot. Uncomment and modify the IPTABLES_MODULES line in the /etc/sysconfig/iptables-config file to read:

IPTABLES_MODULES="ip_conntrack_ftp"

Save the iptables config and restart iptables.

service iptables save
service iptables restart

To completely rule out VSFTPD as being a problem, stop VSFTPD, verify that it's not listening on port 21 with a "netstat -a" and then run a :

nc -l 21

This will start netcat listening on port 21 and will echo input to your shell. From another host, TELNET to port 21 of your server and verify that you get a TCP connection and that you see output in the shell when you type in the TELNET connection.

Finally, bring VSFTPD back up, verify that it is listening on port 21, and try to connect again. If the connection to netcat worked then your iptables rules are fine. If the connection to VSFTPD doesn't work after netcat does then something is wrong w/ your VSFTPD configuration.

Evan Anderson
  • 141,071
  • 19
  • 191
  • 328
  • Thank You for the help man, the suggestions you outlined for the passive-mode fixed my issue. I appreciate the help. – IOTAMAN Jul 09 '09 at 18:13
  • Restarting iptables will wipe out any changes you've made if you don't have IPTABLES_SAVE_ON_STOP set to "yes". – Kevin M Jul 09 '09 at 18:15
  • @Kevin: Absolutely, totally a good point! >smile< I'll drop an edit on that now. – Evan Anderson Jul 09 '09 at 18:31
  • @GLB03: No problem. I live to Server Fault... >smile – Evan Anderson Jul 09 '09 at 18:52
  • This answer didn't work for me, so for anyone else having this issue, I'll point out that this (and also opening port 21 input/output) did work for me: http://www.linuxquestions.org/questions/linux-security-4/iptables-rules-for-active-ftp-22127/ - – ehsanul Oct 13 '10 at 01:40
  • Excellent. after hours of thinking my VSFTP.conf was the issue I disabled the the firewall (`sudo service vsftpd stop`) and everything worked..But you can't leave the firewall off ;) Getting the iptable commands for some reason wasn't straight forward with FTP -- this answer was perfect for my situation!! Thank you! – JustinP Mar 01 '14 at 03:08
0

Try this rule. Note: $EXTIP is your external IP address for the FTP server.

-A INPUT -i $EXTIP -m state --state NEW,ESTABLISHED,RELATED -p TCP -s 0.0.0.0 -d $EXTIP --dport 21 -j ACCEPT
Giacomo1968
  • 3,522
  • 25
  • 38
Matt
  • 23
  • 1
  • 1
  • 5
0

In my case I was missing the ip_conntrack_ftp kernel module. It needs to be loaded. So you can try this:

modprobe ip_conntrack_ftp

And also add ip_conntrack_ftp to /etc/modules so it will work after restart

Kornel
  • 119
  • 2
  • 10