Arch Linux - iptables and passive ftp

I am having a lot of trouble getting passive ftp working nicely with iptables. Before anyone replies, I am not looking for an alternative to ftp. I know of alternatives, but I require ftp.

These are my firewall rules.

iptables -N TCP
iptables -N UDP
iptables -P FORWARD DROP
iptables -P INPUT DROP
iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -m conntrack --ctstate INVALID -j DROP
iptables -A INPUT -p icmp --icmp-type 8 -m conntrack --ctstate NEW -j ACCEPT
iptables -A INPUT -p udp -m conntrack --ctstate NEW -j UDP
iptables -A INPUT -p tcp --syn -m conntrack --ctstate NEW -j TCP
iptables -A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable
iptables -A INPUT -p tcp -j REJECT --reject-with tcp-rst
iptables -A INPUT -j REJECT --reject-with icmp-proto-unreachable
iptables -A TCP -p tcp --dport 41144 -j ACCEPT
iptables -A TCP -p tcp --dport 443 -j ACCEPT
iptables -A TCP -p tcp --dport 80 -j ACCEPT
iptables -A TCP -p tcp --dport 25 -j ACCEPT
iptables -A TCP -p tcp --dport 22 -j ACCEPT
iptables -A TCP -p tcp --dport 21 -j ACCEPT
iptables -A UDP -p udp --dport 443 -j ACCEPT
iptables -A UDP -p udp --dport 80 -j ACCEPT

I have verified via /proc/config.gz that the modules needed are loaded. Such as nfconntrackftp.

With iptables turned off, ftp works without problems. With iptables turned on, ftp passive mode does not work.

I created a conf file in /etc/modprobe.d/ called ipconntrackftp.conf and added the following:

options nf_conntrack_ftp ports=21
options nf_nat_ftp ports=21
options ip_conntrack_ftp ports=21
options ip_nat_ftp ports=21

Nothing seems get passive port working. I can see the ftp port connection listening with "netstat -tapn" when my ftp client initiates a PASV connection. But it just hangs.

I would like to get this working without having to open the full range of PASV ports. Any suggestions would be appreciated.

3 Replies

On a RedHat based distro (I don't now Archlinux, sorry), I would tell you to check your /etc/sysconfig/iptables-config file and make sure you are loading the right ip_conntrack modules:

IPTABLESMODULES=”ipconntrack ipconntrackftp”

I switched to the default linux kernel in arch linux using pv_grub. I can now see with lsmod that the modules are loaded, but still no go :(


i'm no expert, but i dont see any rules for a range of higher ports required for passive ftp. there are usually defaults set in your ftp server (which you can change) and often configurable within your ftp client also

hope this helps



Please enter an answer

You can mention users to notify them: @username

You can use Markdown to format your question. For more examples see the Markdown Cheatsheet.

> I’m a blockquote.

I’m a blockquote.

[I'm a link] (

I'm a link

**I am bold** I am bold

*I am italicized* I am italicized

Community Code of Conduct