There\u2019s lots of advice on the net about how to setup a server with iptables to allow passive mode FTP. Below is the approach that we\u2019ve found to be most effective.<\/p>\n
Start by configuring your FTP daemon to use a fixed range of ports. We use 41361 to 65534 which is the IANA registered ephemeral port range. The exact config depends on what FTP software you\u2019re using:<\/p>\n
vsftpd<\/strong><\/p>\n Edit \/etc\/vsftpd\/vsftpd.conf and add the following lines:<\/p>\n proftpd<\/strong><\/p>\n Edit \/etc\/proftpd.conf and add to the Global section:<\/p>\n Now restart your FTP service so the changes take effect.<\/p>\n Next you\u2019ll need to configure the ip_conntrack_ftp iptables module to load. On Redhat\/CentOS just edit \/etc\/sysconfig\/iptables-config and add \u201cip_conntrack_ftp\u201d to the IPTABLES_MODULES like this:<\/p>\n Next edit \/etc\/sysconfig\/iptables and add a rule to allow TCP port 21. Now restart the iptables service:<\/p>\n You can verify that the correct port range has been registered with lsmod like this:<\/p>\n and you\u2019ll get something like this:<\/p>\n And that\u2019s all it takes to get passive mode ftp working behind iptables.<\/p>\n P.S: If your server is behind a physical firewall and you are behind NAT, then you\u2019ll probable need to load the “ip_nat_ftp” iptables module.<\/p>\n","protected":false},"excerpt":{"rendered":" There\u2019s lots of advice on the net about how to setup a server with iptables to allow passive mode FTP. Below is the approach that we\u2019ve found to be most effective. Start by configuring your FTP daemon to use a fixed range of ports. We use 41361 to 65534 which is the IANA registered ephemeral […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_s2mail":"yes","jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":true,"jetpack_social_options":{"image_generator_settings":{"template":"highway","enabled":false},"version":2}},"categories":[95],"tags":[223,294,73,19,442,444,443],"class_list":["post-968","post","type-post","status-publish","format-standard","hentry","category-system-administration","tag-centos","tag-ftp","tag-iptables","tag-linux","tag-passive","tag-proftpd","tag-vsftp"],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"jetpack_shortlink":"https:\/\/wp.me\/p12j6H-fC","_links":{"self":[{"href":"https:\/\/blogs.silicontechnix.com\/index.php?rest_route=\/wp\/v2\/posts\/968","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blogs.silicontechnix.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blogs.silicontechnix.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blogs.silicontechnix.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/blogs.silicontechnix.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=968"}],"version-history":[{"count":5,"href":"https:\/\/blogs.silicontechnix.com\/index.php?rest_route=\/wp\/v2\/posts\/968\/revisions"}],"predecessor-version":[{"id":973,"href":"https:\/\/blogs.silicontechnix.com\/index.php?rest_route=\/wp\/v2\/posts\/968\/revisions\/973"}],"wp:attachment":[{"href":"https:\/\/blogs.silicontechnix.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=968"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blogs.silicontechnix.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=968"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blogs.silicontechnix.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=968"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}\r\npasv_min_port=49152\r\npasv_max_port=65534\r\n<\/pre>\n
\r\n
\r\nIPTABLES_MODULES=\"ip_conntrack_ftp\"\r\n<\/pre>\n
\nThe new line is marked in red:<\/p>\n\r\n*filter\r\n:INPUT ACCEPT [0:0]\r\n:FORWARD ACCEPT [0:0]\r\n:OUTPUT ACCEPT [0:0]\r\n-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT\r\n-A INPUT -p icmp -j ACCEPT\r\n-A INPUT -i lo -j ACCEPT\r\n-A INPUT -m state --state NEW -m tcp -p tcp --dport 21 -j ACCEPT\r\n-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT\r\n-A INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT\r\n-A INPUT -j REJECT --reject-with icmp-host-prohibited\r\n-A FORWARD -j REJECT --reject-with icmp-host-prohibited\r\nCOMMIT\r\n<\/pre>\n
\r\n\/sbin\/service iptables restart\r\n<\/pre>\n
\r\nlsmod | grep conntrack_ftp\r\n<\/pre>\n
\r\nnf_conntrack_ftp 12913 0 \r\nnf_conntrack 79645 4 nf_conntrack_ftp,nf_conntrack_ipv4,nf_conntrack_ipv6,xt_state\r\n<\/pre>\n