Fix FTP access from Linux client PC with firewall enabled

Today, I would like to share my personal experience with FTP access in Linux. Thanks to the new operating systems from Microsoft, which I don't find suitable for daily use, I switched to Linux a few years ago. I am running an FTP server in my home network, and I was not able to access it from my client PC running Linux which has firewall rules to block inbound connections, i.e. the INPUT policy is set to REJECT in iptables. Here is how I fixed the issue.

I am assuming that the OUTPUT policy is ACCEPT on both client and server machines.

The FTP server software needs to have ports opened on the client PC to establish a passive connection. In my case, all ports were closed except those ports which were explicitly opened for software which needs inbound connections like my torrent client, UPnP media server and so on. The problem is that you cannot predict which port exactly will be used to connect to your client machine. It is a random port every time you perform the connection. I discovered two solutions.

Solution #1. Use the kernel module nf_conntrack_ftp
The kernel module nf_conntrack_ftp allows you to unblock access to the required port for the FTP server automatically every time you make a connection. The only requirement for this module is the following line in your iptables rules (usually it is /etc/iptables/iptables.rules) on the client PC:

$IPT -A INPUT -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT

There is eth0 is your network device name.

Next, you need to load the nf_conntrack_ftp if it is not loaded. Run the following command as root on the client PC

# modprobe nf_conntrack_ftp

If your server is using some non-default port (other than port 21), then use the following command:

# modprobe nf_conntrack_ftp ports=your_port

This will provide an automatic connection with all required ports between the FTP server and your client software. This works until you reboot your PC.

To make this change permanent, you need to create a new text file, /etc/modules-load.d/conntrack_ftp.conf, and add the following line to this file:

nf_conntrack_ftp

In case of non-default server port, you need to create an additional file, /etc/modprobe.d/conntrack_ftp.conf with the following content:

options nf_conntrack_ftp ports=<your_port>

This should be enough.

Solution #2. Use a fixed passive ports range
If you cannot use the nf_conntrack_ftp module, you can set a fixed port range for FTP server software and open it on the client PC. For example, here is how it can be done for the vsftpd app.

  1. In the configuration file of vsftpd, which is usually /etc/vsftpd.conf, add the following lines:
    pasv_min_port=5500
    pasv_max_port=6500

    This should be done on the server side. After that you should restart vsftpd.

  2. In your iptables rules (usually it is /etc/iptables/iptables.rules) on the client PC, add the following rule:
     $IPT -A INPUT -p tcp -s <ftp_server_ip_address> --dport 5500:6500 -j ACCEPT
  3. Apply iptables rules as follows:
    # iptables-restore < /etc/iptables/iptables.rules

That's it.

Support us

Winaero greatly relies on your support. You can help the site keep bringing you interesting and useful content and software by using these options:

If you like this article, please share it using the buttons below. It won't take a lot from you, but it will help us grow. Thanks for your support!

Author: Sergey Tkachenko

Sergey Tkachenko is a software developer who started Winaero back in 2011. On this blog, Sergey is writing about everything connected to Microsoft, Windows and popular software. Follow him on Telegram, Twitter, and YouTube.

Leave a Reply

Your email address will not be published.

Exit mobile version
Using Telegram? Subscribe to the blog channel!
Hello. Add your message here.