• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar

The Geek Diary

CONCEPTS | BASICS | HOWTO

  • OS
    • Linux
    • CentOS/RHEL
    • Solaris
    • Oracle Linux
    • Linux Services
    • VCS
  • Database
    • oracle
    • oracle 12c
    • ASM
    • mysql
    • MariaDB
    • Data Guard
  • DevOps
    • Docker
    • Shell Scripting
  • Interview Questions
  • Big Data
    • Hadoop
    • Cloudera
    • Hortonworks HDP

CentOS / RHEL : How to configure iptable rules to allow FTP ports 20/21

By admin

The iptables utility controls the network packet filtering code in the Linux kernel. The iptables feature is used to set up, maintain, and inspect the tables of IP packet filter rules in the Linux kernel. Several different tables may be defined. Each table contains a number of built-in chains and may also contain user-defined chains.

On the FTP Server, by default iptables rules are not set to allow port 20/21 for FTP connection. Trying to open a ftp connection results in the following error:

# ftp 192.168.10.10
ftp: connect: No route to host
ftp>

Allowing FTP ports 20/21 in iptables

Login to the ftp server and follow the steps given below.

1. Edit file /etc/sysconfig/iptables-config and add “ip_conntrack_ftp“” module to the section “IPTABLES_MODULES=“. Entry should look like this:

IPTABLES_MODULES="ip_conntrack_ftp"

2. Edit file /etc/sysconfig/iptables and make sure iptables rules are added for port 20/21

# vi /etc/sysconfig/iptables
# Firewall configuration written by system-config-firewall
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m tcp --dport 21 -j ACCEPT                        ## rule related to FTP command (port 21)
-A INPUT -p tcp -m tcp --dport 20 -j ACCEPT                        ## rule related to FTP data (port 20)
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
Note: Order of the iptables rules is important.

3. Restart iptables service

# service iptables restart

4. Run below command to check if ftp modules are loaded or not.

# lsmod | grep -i ftp

Example Output:

# lsmod | grep -i ftp
nf_conntrack_ftp       12913  0
nf_conntrack           79357  3 nf_conntrack_ftp,nf_conntrack_ipv4,xt_state

5. Run below command to check if iptables rules related to ftp port 20 and port 21 are enabled or not.

# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED
ACCEPT     icmp --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:ftp
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:ftp-data
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:ssh
REJECT     all  --  anywhere             anywhere            reject-with icmp-host-prohibited

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
REJECT     all  --  anywhere             anywhere            reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

6. Veriy if you can ftp from the client to the ftp server successfully.

Filed Under: Linux

Some more articles you might also be interested in …

  1. Understanding multipath Utility to Configure DM-Multipath
  2. Getting “parsing errors” When Running ‘yum repolist’
  3. How to Create yum Repository in CentOS/RHEL
  4. Active FTP vs. Passive FTP
  5. How To Enable PHP 7.0 And httpd24 On Oracle Linux 7
  6. CentOS / RHEL 7 : Lock User Account After N Number of Incorrect Login Attempts
  7. How to Mount NFS File Systems Using ‘autofs’ in CentOS/RHEL
  8. LVM Commands Fail With “Failed to load config file /etc/lvm/lvm.conf”
  9. How to List and Set SELinux Context for MySQL Server
  10. How to exclude a file/directory from auditd rules

You May Also Like

Primary Sidebar

Recent Posts

  • How to Disable IPv6 on Ubuntu 18.04 Bionic Beaver Linux
  • How to Capture More Logs in /var/log/dmesg for CentOS/RHEL
  • Unable to Start RDMA Services on CentOS/RHEL 7
  • How to rename a KVM VM with virsh
  • Archives
  • Contact Us
  • Copyright

© 2021 · The Geek Diary