I have a pretty stock iptables script. One rule allows active ftp from an outside IP address. To troubleshoot it, I opened up ftp to all connections from the outside.
When a user outside our domain connects via FTP, they are denied. If I flush the rules, the ftp takes place successfully. This seems pretty simple, but I don't know what to try next.
Below are the applicable rules.
# flush all rules
/sbin/iptables -F
# perform stateful inspection of packets (bypasses all fitler rules)
/sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# FTP from the outside
/sbin/iptables -A INPUT -p tcp --dport 21 -j ACCEPT
/sbin/iptables -A OUTPUT -p tcp --sport 20 -j ACCEPT
# Drop all other incoming, allow outgoing, drop forwards
/sbin/iptables -P INPUT DROP
/sbin/iptables -P FORWARD DROP
/sbin/iptables -P OUTPUT ACCEPT
#Save iptables, so reboot will activate all rules
/sbin/service iptables save