Open FTP under iptables

In the past two days, I have used iptables for clients when installing servers. I don't have to worry about it. I found that iptables has many things to learn, such as opening up FTP.
The default policy of the input chain of the iptables filter table is set to drop, and the rest of the chains are accept. This server is used as an FTP server and must be connected to another FTP server. That is to say, you must open both the source port and the target port to 21:

Iptables-A input-p tcp-sport 21-J accept Iptables-A input-p tcp-dport 21-J accept

Is port 21 enabled? No. Let's talk about the FTP protocol first. The FTP protocol is a simple TCP protocol with poor confidentiality (plaintext). Its working principle is that the client first connects to port 21 on the server, A connection is established after three steps of handshake. It should be noted that this connection can only be used to transmit FTP commands. Nothing can be passed through this connection, even if you use the "ls" command to view files.
After a command connection is established, the server needs to establish a data connection. Data connections are divided into active and passive modes ). By default, FTP is in passive mode. You can use the "pass" command to switch between active and passive FTP. The active mode is connected to the client through Port 20, while the passive mode is connected to the client through the port after Port 1024. Because ports later than 1024 are randomly allocated, in passive mode, we do not know what ports the server uses to connect to the client. That is to say, we do not know what port iptables should open.
At first, I used

Iptables-A input-p tcp-sport 1024:-dport 1024:-J accept

To allow the FTP to establish a passive connection. However, if this is the case, it means that all P2P connections are open and insecure.
So I asked the user on the Cu and finally found the solution:
1. Load the module.

Modprobe ip_nat_ftp
Modprobe ip_conntrack
Modprobe ip_conntrack_ftp

2. Add a rule:

In the server
Iptables-A input-M State-State established, related-J accept

In the client

Iptables-A output-M State-State established, related-J accept

Allow passive access maintained by the connection.

In fact, when I restarted iptables, the required modules disappeared. through unremitting efforts, I finally found the Final Solution. edit/etc/sysconfig/iptables-config:

Iptables_modules = "ip_conntrack_ftp"
Iptables_modules = "ip_nat_ftp"

Add the modules to be loaded, no matter whether the system is restarted or iptables, but the FTP module is always loaded.

In this case, I hope to help you solve FTP problems in the future.

Open FTP under iptables