Enabling Passive FTP Connections through IPTABLES

Sometimes when you have an FTP Server running behind IPTABLES, some clients cannot connect to the FTP. This is generally because of the inability of the firewall to track the ftp connections. You can load iptables module IP_CONTRACK_FTP to enable tracking ftp connections.

First of all make sure that you load this module , when firewall starts :

vi /etc/sysconfig/iptables_config

IPTABLES_MODULES="ip_conntrack_ftp"

If the firewall is already running, run the following command to load the module :

modprobe ip_conntrack_ftp

Now apply these two rules in the iptables to allow ftp connections to and from the ftp server :

iptables -A INPUT -p tcp --dport 21 -j ACCEPT 
iptables -A INPUT -p tcp --sport 20 -m state --state ESTABLISHED,RELATED -j ACCEPT