iptables scenario 2 - ftp passive mode

 
 One configuration method one 

 
 Two configuration methods one setting 

 
Test before configuration
  

 
  [root@localhost ~]# ftp 192.168.0.103
  

 
  Connecting to 192.168.0.108:22...
  

 
  Connection established.
  

 
  To escape to local shell, press 'Ctrl+Alt+]'.
  

 
  Last login: Sat Aug 19 11:46:14 2017 from 192.168.0.107
  

 
  [root@localhost ~]# ftp 192.168.0.103
  

 
  Connected to 192.168.0.103 (192.168.0.103).
  

 
(vsFTPd 3.0.2)
  

 
  Name (192.168.0.103:root): anonymous
  

 
Please specify the password.
  

 
  Password:
  

 
Login successful.
  

 
  Remote system type is UNIX.
  

 
  Using binary mode to transfer files.
  

 
  ftp> ls
  

 
Entering Passive Mode (192,168,0,103,223,71).
  

 
  ftp: connect: Connection refused
  

 
Configure the ftp configuration file
  

 
  [root@localhost Packages]# vim /etc/vsftpd/vsftpd.conf
  

 
pasv_min_port=50000
  

 
pasv_max_port=60000
  

 
  [root@localhost Packages]# systemctl restart vsftpd.service
  

 
Configure iptables rules for ftp
  

 
  [root@localhost Packages]# iptables -I INPUT -p tcp --dport 50000:60000 -j ACCEPT
  

 
  [root@localhost Packages]# iptables -nL
  

 
  Chain INPUT (policy ACCEPT)
  

 
  target prot opt source destination
  

 
  ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpts:50000:60000
  

 
  ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
  

 
  ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0
  

 
  ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
  

 
  ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:21
  

 
  REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
  

 
Test after configuration
  

 
  ftp> ls
  

 
Entering Passive Mode (192,168,0,103,204,179).
  

 
Here comes the directory listing.
  

 
  drwxr-xr-x 2 0 0 6 Nov 05 2016 pub
  

 
Directory send OK.
  

 
 Three configuration method two 

 
 Four configuration methods two settings 

 
  [root@localhost Packages]# iptables -D INPUT -p tcp --dport 50000:60000 -j ACCEPT
  

 
  [root@localhost Packages]# iptables -nL
  

 
  [root@localhost Packages]# iptables -nL
  

 
  Chain INPUT (policy ACCEPT)
  

 
  target prot opt source destination
  

 
  ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
  

 
  ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0
  

 
  ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
  

 
  ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:21
  

 
  REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
  

 
  Temporarily effective:
  

 
  [root@localhost Packages]# modprobe nf_conntrack_ftp
  

 
  Permanently effective:
  

 
  [root@localhost Packages]# vi /etc/sysconfig/iptables-config
  

 
  IPTABLES_MODULES="nf_conntrack_ftp"
  