Set port 21 and Port 20 of the ftp server in iptables firewall

It is very convenient to install ftp on a Linux server to provide users with upload and download. However, if your server has enabled the iptables firewall, you need to set the ftp port. I have also used iptables to allow access from a port. why do I need to demonstrate the ftp port? Because the ftp port is really special, it is very convenient to install ftp on Linux servers such as port 80 and port 22 to provide users with upload and download, but if your server
Enabled IptablesFirewall, you need to make some settings on the ftp port.
I have also used iptables to allow access from a port. why do I need to demonstrate the ftp port?
Because ftp ports are really special, not like ports 80 and 22.
It can be divided into the port used for connection and the port used for data transmission when you upload and download files.
Well, I will demonstrate how it is special.
The netstat-tnl command shows that we are running the ftp service.
Tcp 0 00.0.0.0: 21 0.0.0.0: * LISTEN
======================
[Root @ localhost root] # iptables-L-n
Chain INPUT (policy DROP)
Target prot optsource destination
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcpdpt: 22
Chain FORWARD (policy DROP)
Target prot optsource destination
Chain OUTPUT (policy DROP)
Target prot optsource destination
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcpspt: 22
Now, I only allow access to port 22.
Now I start setting the ftp port and add the port to be opened.
The ftp connection port has two ports 21 and 20. now I add the corresponding rules.
[Root @ localhost root] # iptables-a input-p tcp -- dport 21-jACCEPT
[Root @ localhost root] # iptables-a input-p tcp -- dport 20-jACCEPT
[Root @ localhost root] # iptables-a output-p tcp -- sport 21-jACCEPT
[Root @ localhost root] # iptables-a output-p tcp -- sport 20-jACCEPT
Okay, so we can use a browser to access the ftp, and there is a timeout.
So I just mentioned that ftp is a special port, and some of its ports are data transmission ports,
Such as directory list, upload, and download all use these ports.
These ports are arbitrary ports. This is really special.
If no port range is specified, iptables is hard to open to any port,
If iptables allows access from any port, it is no different from not setting a firewall, so it is unrealistic.
The solution is to specify a range of the data transmission port.
Next, modify the ftp configuration file.
Here I use vsftpd to modify the demo. I don't know where to modify other ftp files. you can look for information.
[Root @ localhost root] # vi/etc/vsftpd. conf
Add at the bottom of the configuration file
Pasv_min_port = 30001
Pasvanderbilt max_port = 31000
Save and exit.
The meaning of these two statements tells vsftpd that the port range for data transmission is between 30001 and 31000.
In this way, we can use iptables more easily, and we can open ports 30001 to 31000.
[Root @ localhost root] # iptables-a input-p tcp -- dport30001: 31000-j ACCEPT
[Root @ localhost root] # iptables-a output-p tcp -- sport30001: 31000-j ACCEPT
[Root @ localhost root] # service iptables save
Save the file, and use ftp in the browser. Normal access
You can log in with an account, and there is no problem. Upload some files and check them.
You can see that the upload and download operations are normal. Check the iptables settings.
[Root @ localhost root] # iptables-L-n
Chain INPUT (policy DROP)
Target prot optsource destination
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcpdpt: 22
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcpdpt: 21
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcpdpt: 20
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcpdpts: 30001: 31000
Chain FORWARD (policy DROP)
Target prot optsource destination
Chain OUTPUT (policy DROP)
Target prot optsource destination
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcpspt: 22
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcpspt: 21
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcpspt: 20
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcpspts: 30001: 31000
To demonstrate the simple rules of special ftp ports, you can add some data packet verification methods.