In previous posts we learnt how to open ports for SAMBA, NFS etc.... but it's not like those services to open iptables for VSFTPD. The reson is in Active ftp mode, it's same like we did for SAMBA and NFS. But when it Passive mode we have to add a module called ip_conntrack_ftp.  Let's see how to do it.

Adding ip_conntrack_ftp module.

  • open /etc/sysconfig/iptables-config
  • Search for ip_conntrack_ftp and uncomment the line, it looks like 
[root@manny ~]# vi /etc/sysconfig/iptables-config

IPTABLES_MODULES="ip_conntrack_ftp"

If you dont find the above line just add the line. That's it now open iptables for your ftp server.

[root@manny ~]# iptables -I INPUT -p tcp -m state --state NEW,RELATED,ESTABLISHED --dport 21 -j ACCEPT

 [root@manny ~]# iptables -I OUTPUT -p tcp -m state --state NEW,RELATED,ESTABLISHED --dport 20 -j ACCEPT

 [root@manny ~]# /etc/init.d/iptables save
iptables: Saving firewall rules to /etc/sysconfig/iptables:[  OK  ]
[root@manny ~]# /etc/init.d/iptables restart
iptables: Flushing firewall rules:                         [  OK  ]
iptables: Setting chains to policy ACCEPT: mangle nat filte[  OK  ]
iptables: Unloading modules:                               [  OK  ]
iptables: Applying firewall rules:                         [  OK  ]
iptables: Loading additional modules: ip_conntrack_ftp     [  OK  ]

You observed a new line like loading additional modules: ip_conntrack_ftp
that's what makes iptables allow not to stop clients.

That's it.

further reading: http://www.karlrupp.net/en/computer/nat_tutorial