Final solution in reference to thread "IPTABLES rules for active FTP"
 

Just wanted to reply on some years old thread on https://www.linuxquestions.org/quest...ive-ftp-22127/ which is still up to date.
Would be great if a moderator could add following information to the end of the above thread, because i just saw that it got already closed:


The true Linux spirit did it and still does it =)
This topic is pretty current, since i also arrived on http://ubuntuforums.org/showthread.php?t=2116042, which is a thread from early 2013.

Since nowadays ip_conntrack_ftp is already loaded on most machines, the helper module was the hint i needed: Doing iptables for a while now, but the first time i am hearing about helper modules. Me loves Linux more now :)

Just to round the thread up, here are the final rules needed for punching a little hole in our ftp-client machine towards a ftp-server:

#ftp on 21:
iptables -A OUTPUT -o eth0 -p tcp -s $ownip -d $remoteip --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -i eth0 -d $ownip -s $remoteip -p tcp --sport 21 -m state --state ESTABLISHED -j ACCEPT
#ftp data for 21:
iptables -A OUTPUT -o eth0 -p tcp -s $ownip -d $remoteip -m helper --helper ftp-21 -j ACCEPT
iptables -A INPUT -i eth0 -d $ownip -s $remoteip -p tcp -m helper --helper ftp-21 -j ACCEPT

Whereupon $ownip is a local ipadress at your machine on eth0, and $remoteip is the servers ip address.
I explicitly used ftp-21, because that you can modify the helper to also use non standart ftp port.

Most important reason to let a thread open: People in 10 years also just want solutions for the same problems.