Linux Bash: Setting iptables rules to allow both active and passive FTP

Question

I have a PC on which I have a FTP server installed. I want to set the iptables rules to allow both active and passive FTP. I\'ve tried the following code that people report is w

Answer 1

I have found a big mistake in the above script!

The rules are misstyped, it should be like that:

$IPT -A INPUT  -p tcp --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT
$IPT -A OUTPUT -p tcp --sport 21 -m state --state ESTABLISHED -j ACCEPT

$IPT -A INPUT -p tcp --dport 20 -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A OUTPUT -p tcp --sport 20 -m state --state ESTABLISHED -j ACCEPT

Dport and Sport change places! You are going to a destination, if you connect to a server, the sourceport is dynamic and clientside spefific and is not known nevertheless a connection is established!

Imho the second line is ambigious at all, cause you don't know which ports a server-side client is going to use to establish a ftp-connection. Better would be a rule like this, if outbound traffic is blocked by defalut:

$IPT -A OUTPUT -p tcp --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT
$IPT -A OUTPUT -p tcp --dport 20 -m state --state ESTABLISHED,RELATED  -j ACCEPT

But this is only needed if the rule

$IPT -P OUTPUT DROP

is on top of the rule-set.

Greetings

Marcus