I have a PC on which I have a FTP server installed. I want to set the iptables rules to allow both active and passive FTP. I’ve tried the following code that people report is working, but it seems to block all traffic for me (pages won’t load anymore etc)
#!/bin/bash
IPT=/sbin/iptables
$IPT -F
$IPT -X
$IPT -t nat -F
$IPT -t nat -X
$IPT -t mangle -F
$IPT -t mangle -X
/sbin/modprobe ip_conntrack
/sbin/modprobe ip_conntrack_ftp
# Setting default filter policy
$IPT -P INPUT DROP
$IPT -P OUTPUT ACCEPT
# Allow FTP connections @ port 21
$IPT -A INPUT -p tcp --sport 21 -m state --state ESTABLISHED -j ACCEPT
$IPT -A OUTPUT -p tcp --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT
# Allow Active FTP Connections
$IPT -A INPUT -p tcp --sport 20 -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A OUTPUT -p tcp --dport 20 -m state --state ESTABLISHED -j ACCEPT
# Allow Passive FTP Connections
$IPT -A INPUT -p tcp --sport 1024: --dport 1024: -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A OUTPUT -p tcp --sport 1024: --dport 1024: -m state --state ESTABLISHED,RELATED -j ACCEPT
That code ONLY allows incoming and outgoing FTP connections. It doesn’t allow anything else in/out.
Drops all incoming traffic. So if you start with that, you’ll want to enable traffic into any other services you have running that you’d like to allow in. .
This rule would allow incoming FTP traffic.
An explanation of what this script is/does is it deletes all of your existing IP Tables chains, then it adds rules to allow all outgoing traffic and block all incoming traffic except for FTP.