Just wanted to reply on some years old thread on
https://www.linuxquestions.org/quest...ive-ftp-22127/ which is still up to date.
Would be great if a moderator could add following information to the end of the above thread, because i just saw that it got already closed:
The true Linux spirit did it and still does it =)
This topic is pretty current, since i also arrived on
http://ubuntuforums.org/showthread.php?t=2116042, which is a thread from early 2013.
Since nowadays ip_conntrack_ftp is already loaded on most machines, the helper module was the hint i needed: Doing iptables for a while now, but the first time i am hearing about helper modules. Me loves Linux more now
Just to round the thread up, here are the final rules needed for punching a little hole in our ftp-client machine towards a ftp-server:
#ftp on 21:
iptables -A OUTPUT -o eth0 -p tcp -s $ownip -d $remoteip --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -i eth0 -d $ownip -s $remoteip -p tcp --sport 21 -m state --state ESTABLISHED -j ACCEPT
#ftp data for 21:
iptables -A OUTPUT -o eth0 -p tcp -s $ownip -d $remoteip -m helper --helper ftp-21 -j ACCEPT
iptables -A INPUT -i eth0 -d $ownip -s $remoteip -p tcp -m helper --helper ftp-21 -j ACCEPT
Whereupon $ownip is a local ipadress at your machine on eth0, and $remoteip is the servers ip address.
I explicitly used ftp-21, because that you can modify the helper to also use non standart ftp port.
Most important reason to let a thread open: People in 10 years also just want solutions for the same problems.