Active and Passive ftp mode and iptables firewall configuration
Source: Internet
Author: User
Iptables supports Active and Passive FTP protocol configuration in two ways: PORT and PASV. the Chinese meaning is active and passive. Port mode: ftpserver: tcp21 -- client: dynamicftpserver: tcp20 -- client: dynamicPasv mode: ftpserver: tcp21 -- client
IptablesThe active and passive modes of FTP are configured in two ways: PORT mode and PASV mode. the Chinese meaning is active and passive.
Port mode: ftp server: tcp 21 <-- client: dynamic ftp server: tcp 20 --> client: dynamic
Pasv mode: ftp server: tcp 21 <-- client: dynamic ftp server: tcpdynamic <-- client: dynamic
The active connection process is that the client sends a connection request to the ftp port of the server (21 by default). The server accepts the connection and establishes a command link. When data needs to be transmitted, the client uses the PORT command on the command link to tell the server: "I opened PORT XXXX and you came to connect to me ". The server sends a connection request from Port 20 to Port XXXX of the client and establishes a data link to transmit data.
PASV (passive) connection process: the client sends a connection request to the FTP port of the server (21 by default). The server accepts the connection and establishes a command link. When data needs to be transmitted, the server uses the PASV command on the command link to tell the client: "I opened Port XXXX, and you came to connect to me ". Therefore, the client sends a connection request to Port XXXX of the server and establishes a data link to transmit data.
# Allow all ftp incoming connections
Iptables-a input-p tcp -- dport 21-m state -- state ESTABLISHED-jACCEPT
Iptables-a output-p tcp -- sport 21-m state -- state NEW, ESTABLISHED-j ACCEPT
# Enable active ftp transfers
Iptables-a input-p tcp -- dport 20-m state -- stateESTABLISHED, RELATED-j ACCEPT
Iptables-a output-p tcp -- sport 20-m state -- state ESTABLISHED-jACCEPT
# Enable passive ftp transfers
Iptables-a input-p tcp -- sport 1024: 65535 -- dport 1024: 65535-mstate -- state ESTABLISHED-j ACCEPT
Iptables-a output-p tcp -- sport 1024: 65535 -- dport 1024: 65535-m
The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion;
products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the
content of the page makes you feel confusing, please write us an email, we will handle the problem
within 5 days after receiving your email.
If you find any instances of plagiarism from the community, please send an email to:
info-contact@alibabacloud.com
and provide relevant evidence. A staff member will contact you within 5 working days.