Linux iptables configures active and passive FTP MODE

Http://www.cppblog.com/mydriverc/archive/2010/03/14/109670.html

 

First, understand the active-passive connection mode:

The FTP protocol can work in two ways: Port and PASV. The Chinese meaning is active and passive.

PortMode: FTP server: TCP
21 <------ client: Dynamic FTP server: TCP 20 ------> client: Dynamic

PASV mode: FTP server: tcp 21 <---- client: Dynamic FTP server: TCP dynamic <---- client: Dynamic
Port (active) ModeConnectionThe process is: the client sends messages to the FTP port of the server (21 by default ).ConnectionRequest. The server accepts the connection and establishes a command link. When data needs to be transmitted, the client uses the PORT command on the command link to tell the server: "I opened port XXXX and you came to connect to me ". The server sends a connection request from Port 20 to port XXXX of the client and establishes a data link to transmit data.
PASV (passive) connection process: the client sends a connection request to the FTP port of the server (21 by default). The server accepts the connection and establishes a command link. When data needs to be transmitted, the server uses the PASV command on the command link to tell the client: "I opened port XXXX, and you came to connect to me ". Therefore, the client sends a connection request to port XXXX of the server and establishes a data link to transmit data.

# Allow all FTP incoming connections
Iptables-A input-p tcp -- dport 21-M state -- State established-J accept
Iptables-A output-p tcp -- Sport 21-M state -- state new, established-J accept

# Enable active ftp transfers
Iptables-A input-p tcp -- dport 20-M state -- State established, related-J accept
Iptables-A output-p tcp -- Sport 20-M state -- State established-J accept

# Enable Passive FTP transfers
Iptables-A input-p tcp -- Sport 1024: 65535 -- dport 1024: 65535-M state -- State established-J accept
Iptables-A output-p tcp -- Sport 1024: 65535 -- dport 1024: 65535-M state -- State established, related-J accept