The Geek Diary

HowTos | Basics | Concepts

Main navigation

CentOS / RHEL : How to configure iptable rules to allow FTP ports 20/21

By

The iptables utility controls the network packet filtering code in the Linux kernel. The iptables feature is used to set up, maintain, and inspect the tables of IP packet filter rules in the Linux kernel. Several different tables may be defined. Each table contains a number of built-in chains and may also contain user-defined chains.

On the FTP Server, by default iptables rules are not set to allow port 20/21 for FTP connection. Trying to open a ftp connection results in the following error:

# ftp 192.168.10.10
ftp: connect: No route to host
ftp>

Allowing FTP ports 20/21 in iptables

Login to the ftp server and follow the steps given below.

1. Edit file /etc/sysconfig/iptables-config and add “ip_conntrack_ftp“” module to the section “IPTABLES_MODULES=“. Entry should look like this:

IPTABLES_MODULES="ip_conntrack_ftp"

2. Edit file /etc/sysconfig/iptables and make sure iptables rules are added for port 20/21

# vi /etc/sysconfig/iptables
# Firewall configuration written by system-config-firewall
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m tcp --dport 21 -j ACCEPT                        ## rule related to FTP command (port 21)
-A INPUT -p tcp -m tcp --dport 20 -j ACCEPT                        ## rule related to FTP data (port 20)
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
Note: Order of the iptables rules is important.

3. Restart iptables service

# service iptables restart

4. Run below command to check if ftp modules are loaded or not.

# lsmod | grep -i ftp

Example Output:

# lsmod | grep -i ftp
nf_conntrack_ftp       12913  0
nf_conntrack           79357  3 nf_conntrack_ftp,nf_conntrack_ipv4,xt_state

5. Run below command to check if iptables rules related to ftp port 20 and port 21 are enabled or not.

# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED
ACCEPT     icmp --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:ftp
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:ftp-data
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:ssh
REJECT     all  --  anywhere             anywhere            reject-with icmp-host-prohibited

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
REJECT     all  --  anywhere             anywhere            reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

6. Veriy if you can ftp from the client to the ftp server successfully.