Linux – Iptables FTP Client rules

firewalliptableslinux

I have a Linux server and the default INPUT actions is DROP.
OUTPUT and FORWARD are both ACCEPT.

Which rule do I have to add to enabled the machine to establish an FTP session as FTP client.
The server is not an FTP-server. Here is my firewall rules.
Why I could not ping any remote machine or anything about OUTPUT.

# Generated by iptables-save v1.4.12 on Wed Oct 10 15:30:17 2012
*nat
:PREROUTING ACCEPT [379:59440]
:INPUT ACCEPT [162:34762]
:OUTPUT ACCEPT [5008:361967]
:POSTROUTING ACCEPT [5008:361967]
COMMIT
# Completed on Wed Oct 10 15:30:17 2012
# Generated by iptables-save v1.4.12 on Wed Oct 10 15:30:17 2012
*filter
:INPUT DROP [8:528]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [201:14768]
:LOGGING - [0:0]
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -p esp -j ACCEPT
-A INPUT -i ppp+ -j ACCEPT
-A INPUT -p udp -m udp --dport 500 -j ACCEPT
-A INPUT -p udp -m udp --dport 4500 -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -i lo -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p udp -m udp --dport 1701 -j ACCEPT
-A FORWARD -i ppp+ -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT

COMMIT

UPDATED:

-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -p esp -j ACCEPT
-A INPUT -i ppp+ -j ACCEPT
-A INPUT -p udp -m udp --dport 500 -j ACCEPT
-A INPUT -p udp -m udp --dport 4500 -j ACCEPT
-A INPUT -p udp -m udp --dport 1701 -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -i lo -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7
-A FORWARD -i ppp+ -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT

Best Answer

As a client, to allow FTP in passive mode, it's enough to allow back-half connections:

iptables -A INPUT -m state --state ESTABLISHED -j ACCEPT

though since rules processing is order-sensitive, it's up to you to put that rule in the right place in your INPUT chain. Near the top is probably a good place.

Edit: OUTPUT traffic is allowed, according to the rules you've posted. If you think it's not, it would be helpful to see the running ruleset not the startup ruleset; try iptables -L -n -v, and post the output of that.

As for PINGs, you're not allowing the backhalves of those in, either. The rule I gave above should start those working, too.

Related Topic