[CentOS] Vsftpd vs. iptables firewall script

Wed May 23 15:01:24 UTC 2018
Pete Biggs <pete at biggs.org.uk>

> Doesn't work. I redirected all my errors to /var/log/messages, so here's
> what I get when I try to connect Filezilla to that server.
> May 23 16:48:58 c7-server kernel: +++ IPv4 packet rejected +++ IN=enp0s3
> OUT= MAC=08:00:27:00:00:03:d4:85:64:b2:b2:1b:08:00 SRC=
> DST= LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=30737 DF PROTO=TCP
> SPT=51474 DPT=38714 WINDOW=29200 RES=0x00 SYN URGP=0

FTP uses two ports - in active mode the server uses 21 for command and
20 for data after the initial connection. In passive mode it uses 21
for command and a high random port number for data. What is happening
is that you are blocking the high port number. (Yes, I know that's a
gross simplification.)

You could use active transfer and open port 20, or you could use
passive, which is more "secure", and allow connections to high port

Search for active vs passive ftp for more info.