That code ONLY allows incoming and outgoing FTP connections. It doesn't allow anything else in/out.

该代码仅允许传入和传出 FTP 连接。它不允许任何其他东西进/出。

 $IPT -P INPUT DROP

Drops all incoming traffic. So if you start with that, you'll want to enable traffic into any other services you have running that you'd like to allow in. .

丢弃所有传入流量。因此，如果您从它开始，您将希望允许流量进入您正在运行的任何其他您希望允许的服务。.

 $IPT -A INPUT  -p tcp --sport 21 -m state --state NEW,ESTABLISHED -j ACCEPT
 $IPT -A OUTPUT -p tcp --dport 21 -m state --state ESTABLISHED -j ACCEPT

This rule would allow incoming FTP traffic.

此规则将允许传入的 FTP 流量。

An explanation of what this script is/does is it deletes all of your existing IP Tables chains, then it adds rules to allow all outgoing traffic and block all incoming traffic except for FTP.

该脚本是/做什么的一个解释是它删除所有现有的 IP 表链，然后它添加规则以允许所有传出流量并阻止除 FTP 之外的所有传入流量。

The arguments for the INPUT and OUTPUT lines need to be flipped in the # Allow FTP connections @ port 21section otherwise new (active) FTP connections will be blocked.

INPUT 和 OUTPUT 行的参数需要在# Allow FTP connections @ port 21部分翻转，否则新的（活动的）FTP 连接将被阻止。

# Allow FTP connections @ port 21
$IPT -A INPUT -p tcp --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT
$IPT -A OUTPUT  -p tcp --sport 21 -m state --state ESTABLISHED -j ACCEPT

From Your question I suppose you have some trivial host with common set of apps such as web-browser, mail client, may be telnet and|or ssh-client, may be ftp-client too, may be some IM etc. And having all these apps working, You want additionally allow an FTP server on this host to work both in active and passive modes for clients which will connect. Here are 3 blocks of rules applicable in this case. Block of common rules is the minimalistic set of rules applicable for most client hosts. Next is block of rules for ftp-client, if You have such on Your host. The rules for ftp-client are slightly different from rules for others clients: there are always two connections to enable data transfer: ftp-control (port 21) and ftp-data (port 20 in Active mode or random port in Passive mode). You most probably will never need client rules for Active mode because Passive mode is single choice for NATed networks.

根据您的问题，我想您有一些简单的主机，带有一组常见的应用程序，例如网络浏览器、邮件客户端，可能是 telnet 和|或 ssh-client，也可能是 ftp-client，可能是一些 IM 等。并且拥有所有这些应用程序可以正常工作，您还需要允许此主机上的 FTP 服务器在要连接的客户端的主动和被动模式下工作。以下是适用于这种情况的 3 个规则块。通用规则块是适用于大多数客户端主机的简约规则集。接下来是 ftp-client 的规则块，如果您的主机上有这样的规则。ftp-client 的规则与其他客户端的规则略有不同：总是有两个连接来启用数据传输：ftp-control（端口 21）和 ftp-data（主动模式下的端口 20 或被动模式下的随机端口）。

The rules for FTP server are in the last block.

FTP 服务器的规则在最后一块。

Please check You have ip_conntrack_ftp ( may be named nf_conntrack_ftp ) in the kernel:

请检查您在内核中有 ip_conntrack_ftp（可能被命名为 nf_conntrack_ftp）：

> lsmod | grep conn

If You do not have this kernel module, the 'RELATED' rules will not work and, most probably, separate ftp-data connection will not start while primary ftp-control connection will hang somewhere after 'PORT' command. You still can enforce ftp-data connection in this case, but at the spent of degrading security provided by the tweaked rules. The tweaks are in comments preceeding the rules.

如果你没有这个内核模块，'RELATED' 规则将不起作用，很可能，单独的 ftp-data 连接不会启动，而主 ftp-control 连接将在 'PORT' 命令后挂在某处。在这种情况下，您仍然可以强制执行 ftp-data 连接，但会降低调整后的规则提供的安全性。调整在规则之前的评论中。

Pro

亲

#!/bin/bash
IPT=/sbin/iptables

$IPT -F
$IPT -t nat -F
$IPT -t mangle -F

$IPT -X
$IPT -t nat -X
$IPT -t mangle -X

/sbin/modprobe ip_conntrack
/sbin/modprobe ip_conntrack_ftp

$IPT -P INPUT DROP
$IPT -P FORWARD DROP
$IPT -P OUTPUT DROP

# Block of common rules #####################################################
$IPT -A OUTPUT -o lo -j ACCEPT
$IPT -A INPUT  -i lo -j ACCEPT

$IPT -A OUTPUT -p icmp -j ACCEPT
$IPT -A INPUT  -p icmp -j ACCEPT

# allow DNS queries and replies
$IPT -A OUTPUT -p udp --dport 53 -j ACCEPT
$IPT -A INPUT  -p udp --sport 53 -j ACCEPT

# allow all Your possible client applications to work 
$IPT -A OUTPUT -p tcp -m multiport --dports ssh,telnet,http,https,xmpp-client,aol,smtp,pop3,imap2,imap3 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
$IPT -A INPUT  -p tcp -m multiport --sports ssh,telnet,http,https,xmpp-client,aol,smtp,pop3,imap2,imap3 -m state --state RELATED,ESTABLISHED   -j ACCEPT
# End of block of common rules ##############################################


# If You have ftp-client too, this block of rules 
# will allow it to work with external ftp servers in both modes.
#
# First, allow ftp-control at client side:
$IPT -A OUTPUT -p tcp -m tcp --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT 
$IPT -A INPUT -p tcp -m tcp --sport 21 -m state --state ESTABLISHED -j ACCEPT 
#
# Then allow ftp-data Active Mode at client side:
# Client accepts RELATED connection from server port 20 
# to client port number negotiated in ftp-control connection.
# nf_conntrack_ftp is REQUIRED at client host 
# to pick up this client port number from payload of ftp-control packets,
# otherwise You are forced to use 'NEW' instead of 'RELATED'.
# And in the case of 'NEW' You allow connection to ANY port of Your host!
$IPT -A INPUT -p tcp -m tcp --sport 20 -m state --state RELATED,ESTABLISHED -j ACCEPT 
$IPT -A OUTPUT -p tcp -m tcp --dport 20 -m state --state ESTABLISHED -j ACCEPT 
#
# Finally, allow ftp-data Passive Mode at client side:
# Client starts RELATED connection from random own high port number 
# to server fixed high port number negotiated in ftp-control connection.
# nf_conntrack_ftp is REQUIRED again at client host 
# to pick up this client port number from payload of ftp-control packets, 
# otherwise You are forced to use 'NEW' instead of 'RELATED' !
-A OUTPUT -p tcp -m tcp --sport 1024:65535 --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A INPUT -p tcp  -m tcp --sport 1024:65535 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT    

#######[ Block of rules needed for Local FTP Server ]#######
# This block of rules allows clients to access Your FTP server at this host
# either in Active or Passive mode. 
# You may need to enable Passive mode in FTP server config file,
# e.g. with pasv_enable=yes in /etc/vsftpd.conf if vsftpd is Your choice.
#
# Ftp-control at server side:
# (some example rules are given below just to show 
# how You can selectively restrict access to Your FTP server):
$IPT -A INPUT -s 1.2.3.0/24 -p tcp -m tcp --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT 
$IPT -A INPUT -s 5.6.7.8/32 -p tcp -m tcp --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT 
$IPT -A OUTPUT -p tcp -m tcp --sport 21 -m state --state ESTABLISHED -j ACCEPT 
#
# Ftp-data Active Mode at server side:
# Server starts RELATED connection from server port 20 
# to client port number negotiated in ftp-control connection.
# nf_conntrack_ftp is REQUIRED to pick up this client port number
# from payload of ftp-control packets, 
# otherwise You are forced to use 'NEW' instead of 'RELATED' !
$IPT -A OUTPUT -p tcp -m tcp --sport 20 -m state --state RELATED,ESTABLISHED -j ACCEPT 
$IPT -A INPUT -p tcp -m tcp --dport 20 -m state --state ESTABLISHED -j ACCEPT 
#
# Ftp-data Passive Mode at server side:
# Server accepts RELATED client connection from random client high port number
# to own fixed high port number negotiated in ftp-control connection.
# nf_conntrack_ftp is REQUIRED to pick up this own fixed high port number
# from payload of ftp-control packets,
# otherwise You are forced to use 'NEW' instead of 'RELATED'.
# And in the case of 'NEW' You allow connection to ANY high port of Your server!
$IPT -A INPUT -p tcp -m tcp --sport 1024:65535 --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT 
$IPT -A OUTPUT -p tcp -m tcp --sport 1024:65535 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT 
######

I have found a big mistake in the above script!

我在上面的脚本中发现了一个大错误！

The rules are misstyped, it should be like that:

规则打错了，应该是这样的：

$IPT -A INPUT  -p tcp --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT
$IPT -A OUTPUT -p tcp --sport 21 -m state --state ESTABLISHED -j ACCEPT

$IPT -A INPUT -p tcp --dport 20 -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A OUTPUT -p tcp --sport 20 -m state --state ESTABLISHED -j ACCEPT

Dport and Sport change places! You are going to a destination, if you connect to a server, the sourceport is dynamic and clientside spefific and is not known nevertheless a connection is established!

Dport 和 Sport 换地方了！你要去一个目的地，如果你连接到一个服务器，源端口是动态的并且是客户端特定的并且不知道但是连接已经建立！

Imho the second line is ambigious at all, cause you don't know which ports a server-side client is going to use to establish a ftp-connection. Better would be a rule like this, if outbound traffic is blocked by defalut:

恕我直言，第二行是模棱两可的，因为您不知道服务器端客户端将使用哪些端口来建立 ftp 连接。如果出站流量被默认阻止，最好是这样的规则：

$IPT -A OUTPUT -p tcp --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT
$IPT -A OUTPUT -p tcp --dport 20 -m state --state ESTABLISHED,RELATED  -j ACCEPT

But this is only needed if the rule

但这只有在规则时才需要

$IPT -P OUTPUT DROP

is on top of the rule-set.

位于规则集之上。

Greetings

你好

Marcus

马库斯

Refer this site for Explanation: http://slacksite.com/other/ftp.html

请参阅此站点的说明：http: //slacksite.com/other/ftp.html

FTP Client:

FTP客户端：

lsmod | grep ftp
modprobe nf_conntrack_ftp      or   modprobe ip_conntrack_ftp
lsmod | grep ftp
 iptables -A INPUT -s 192.168.1.0/24 -d 192.168.1.0/24 -p tcp -m tcp --sport 21 -m conntrack --ctstate ESTABLISHED -j ACCEPT 
 iptables -A INPUT -s 192.168.1.0/24 -d 192.168.1.0/24 -p tcp -m tcp --sport 20 --dport 1024: -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT 
 iptables -A INPUT -s 192.168.1.0/24 -d 192.168.1.0/24 -p tcp -m tcp --sport 1024: --dport 1024: -m conntrack --ctstate ESTABLISHED -j ACCEPT 
 iptables -A OUTPUT -s 192.168.1.0/24 -d 192.168.1.0/24 -p tcp -m tcp --dport 21 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
 iptables -A OUTPUT -s 192.168.1.0/24 -d 192.168.1.0/24 -p tcp -m tcp --dport 20 -m conntrack --ctstate ESTABLISHED -j ACCEPT 
 iptables -A OUTPUT -s 192.168.1.0/24 -d 192.168.1.0/24 -p tcp -m tcp --sport 1024:65535 --dport 1024:65535 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT 

FTP SERVER:

FTP 服务器：

 lsmod | grep ftp
 modprobe nf_conntrack_ftp      or   modprobe ip_conntrack_ftp
 lsmod | grep ftp
 iptables -A INPUT -s 192.168.1.0/24 -d 192.168.1.0/24 -p tcp -m tcp --dport 21 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT 
 iptables -A INPUT -s 192.168.1.0/24 -d 192.168.1.0/24 -p tcp -m tcp --dport 20 --sport 1024:-m conntrack --ctstate ESTABLISHED -j ACCEPT 
 iptables -A INPUT -s 192.168.1.0/24 -d 192.168.1.0/24 -p tcp -m tcp --sport 1024: --dport 1024: -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT 
 iptables -A OUTPUT -s 192.168.1.0/24 -d 192.168.1.0/24 -p tcp -m tcp --sport 21 -m conntrack --ctstate ESTABLISHED -j ACCEPT 
 iptables -A OUTPUT -s 192.168.1.0/24 -d 192.168.1.0/24 -p tcp -m tcp --sport 20 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT 
 iptables -A OUTPUT -s 192.168.1.0/24 -d 192.168.1.0/24 -p tcp -m tcp --sport 1024:65535 --dport 1024:65535 -m conntrack --ctstate ESTABLISHED -j ACCEPT 

To toggle between passive and active mode on the client side

在客户端在被动和主动模式之间切换

 ftp> passive
 Passive mode on.
 ftp> passive
 Passive mode off.