Set vsftpd and iptables firewalls in Linux

-Can network access caused by PINPUTDROP be normal, but ftp connection fails? According to the method described above, only the ftpport21 service is enabled. if other services are disabled, iptables-PINPUTDROPiptables-AINPUT-mstate -- stateESTABLISHED-jACCEPTiptables-AINPUT-pt is usually configured.

The network access caused by-p input drop is normal, but the ftp connection fails?

According to the method described above, only the ftp port 21 service is enabled. if other services are disabled, it is generally configured to use:

Iptables-P INPUT DROP
Iptables-a input-m state -- state ESTABLISHED-j ACCEPT
Iptables-a input-p tcp -- dport 21-j ACCEPT

In this configuration, it is confirmed that the ftp client can be connected to the ftp host and the welcome login screen is displayed. However, an error will occur when viewing the file directory list and file capturing in the future...

The ftp protocol itself can also distinguish between the active mode and passive mode in the data channnel mode. in the passive mode, finally, the protocol allows the ftp client to connect to the ftp server itself, which is specified to transfer data to a port greater than 1024 port.
In this way, the configuration may work normally during ftp transmission, but the passive mode is incorrect, the reason is that the firewall rule configuration of the host does not allow the ftp client to be connected to the port specified by the ftp server.

To solve this problem, in iptables, a helper with the name ip_conntrack_ftp can intercept the communication between the ftp protocol commands with the connection port 21 and the external destination port 21, you can configure firwewall rules for iptables. Open practices:

Modprobe ip_conntrack_ftp
Iptables-P INPUT DROP
Iptables-a input-m state -- state ESTABLISHED, RELATED-j ACCEPT
Iptables-a input-I lo-j ACCEPT
Iptables-a input-p tcp -- dport 21-j ACCEPT