#/bin/sh
UP_PORTS="1024:65535"  
IFACE1="eth0"
IFACE2="eth1"
## FTP 
# Allow ftp outbound. 
iptables -A INPUT  -i $IFACE1 -p tcp --sport 21 -m state --state ESTABLISHED -j ACCEPT 
iptables -A OUTPUT -o $IFACE1 -p tcp --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT 
iptables -A INPUT  -i $IFACE2 -p tcp --sport 21 -m state --state ESTABLISHED -j ACCEPT 
iptables -A OUTPUT -o $IFACE2 -p tcp --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT 
# Now for the connection tracking part of ftp. This is discussed more completely in my section 
# on connection tracking to be found here. 
# 1) Active ftp. 
# This involves a connection INbound from port 20 on the remote machine, to a local port 
# passed over the ftp channel via a PORT command. The ip_conntrack_ftp module recognizes 
# the connection as RELATED to the original outgoing connection to port 21 so we don't 
# need NEW as a state match. 
iptables -A INPUT  -i $IFACE1 -p tcp --sport 20 -m state --state ESTABLISHED,RELATED -j ACCEPT 
iptables -A OUTPUT -o $IFACE1 -p tcp --dport 20 -m state --state ESTABLISHED -j ACCEPT 
iptables -A INPUT  -i $IFACE2 -p tcp --sport 20 -m state --state ESTABLISHED,RELATED -j ACCEPT 
iptables -A OUTPUT -o $IFACE2 -p tcp --dport 20 -m state --state ESTABLISHED -j ACCEPT 
# 2) Passive ftp. 
# This involves a connection outbound from a port >1023 on the local machine, to a port >1023 
# on the remote machine previously passed over the ftp channel via a PORT command. The 
# ip_conntrack_ftp module recognizes the connection as RELATED to the original outgoing 
# connection to port 21 so we don't need NEW as a state match. 
iptables -A INPUT  -i $IFACE1 -p tcp --sport $UP_PORTS --dport $UP_PORTS -m state --state ESTABLISHED -j ACCEPT 
iptables -A OUTPUT -o $IFACE1 -p tcp --sport $UP_PORTS --dport $UP_PORTS -m state --state ESTABLISHED,RELATED -j ACCEPT 
iptables -A INPUT  -i $IFACE2 -p tcp --sport $UP_PORTS --dport $UP_PORTS -m state --state ESTABLISHED -j ACCEPT 
iptables -A OUTPUT -o $IFACE2 -p tcp --sport $UP_PORTS --dport $UP_PORTS -m state --state ESTABLISHED,RELATED -j ACCEPT