-4

I have a problem with connecting through FTP when iptables is enabled. I've tried all suggestions from this topic and a few others, but I'm still getting:

Error:  Connection timed out
Error:  Could not connect to server

There's no problem with connection when I turn off iptables, so I'm sure this is what's causing the issue.

This is how my iptables file looks like:

:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 2020 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
# Allow FTP connections @ port 21
-A INPUT  -p tcp --sport 21 -m state --state NEW,ESTABLISHED -j ACCEPT
-A OUTPUT -p tcp --dport 21 -m state --state ESTABLISHED -j ACCEPT
COMMIT
Community
  • 1
  • 1
Nicolas
  • 1,256
  • 1
  • 10
  • 22

2 Answers2

1

First of all, the order of the rules is important. Since you have specified the REJECT rule before the FTP ACCEPT rules, FTP packets are rejected by that rule before reaching the relevant rules and having any chance of getting accepted.

Secondly, the link you've mentioned in your question discusses the rules required by the server, and not by the client. The appropriate rules for the client are opposite.

Since the default policy of the OUTPUT chain is ACCEPT, and you have allowed packets of ESTABLISHED or RELATED connections into your machine, passive-mode FTP should already be supported by your rule set.

In order to support active-mode FTP as well, you need to allow incoming TCP connections originating from the server at port 20, as follows:

iptables -A INPUT -p tcp --sport 20 -j ACCEPT

This link supplies a concise summary of the rationale for the above rules.

Since in active-mode FTP the data connection's hosts and ports can be reliably and easily determined from the control connection's hosts and ports, I think that loading the nf_conntrack_ftp module would prove the ad-hoc rule for allowing incoming TCP connections originating from the server at port 20 redundant. I haven't checked this, but loading the module with modprobe nf_conntrack_ftp might suffice because incoming RELATED and ESTABLISHED traffic is allowed. This approach would be preferable since it's a bit more secure.

Community
  • 1
  • 1
Yoel
  • 9,144
  • 7
  • 42
  • 57
0

The rule should be as given below:

$IPT -A INPUT  -p tcp --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT

$IPT -A OUTPUT -p tcp --sport 21 -m state --state ESTABLISHED -j ACCEPT

The INPUT chain should have destination port 21 opened for incoming connections. Let me know your feedback after trying this out.

Arnab Nandy
  • 6,472
  • 5
  • 44
  • 50
LogicIO
  • 627
  • 7
  • 15