Debian FTP Server Firewall Configuration Guide

Configuring a firewall for an FTP server on Debian involves allowing the necessary ports for FTP traffic (control and data) while ensuring security—especially for passive mode connections. Below are step-by-step instructions using UFW (Uncomplicated Firewall) and iptables, the two most common firewall tools for Debian.

1. Prerequisites

Before configuring the firewall, ensure:

• The FTP server (e.g., vsftpd) is installed and running.
• Passive mode is enabled in your FTP server configuration (critical for data transfer in modern networks). For vsftpd, edit /etc/vsftpd.conf and set:

  pasv_enable=YES
  pasv_min_port=30000  # Adjust to your desired range
  pasv_max_port=31000  # Adjust to your desired range
  

• Replace 30000-31000 with the port range you configure in the FTP server.

---

2. Using UFW (Recommended for Simplicity)

UFW simplifies firewall management with user-friendly commands. Follow these steps:

Install UFW

sudo apt update
sudo apt install ufw

Enable UFW

sudo ufw enable

Confirm enabling with Y when prompted.

Allow FTP Ports

• Control Port (21/tcp): Required for FTP command connections.

  sudo ufw allow 21/tcp
  

• Data Port (20/tcp): Required for active mode data transfers (less common in modern setups).

  sudo ufw allow 20/tcp
  

• Passive Mode Port Range: Replace 30000:31000 with your FTP server’s configured range.

  sudo ufw allow 30000:31000/tcp
  

Reload UFW

Apply changes without rebooting:

sudo ufw reload

Verify Rules

Check the status to ensure rules are applied:

sudo ufw status verbose

You should see entries for ports 21/tcp, 20/tcp, and your passive mode range.

---

3. Using iptables (Advanced Users)

For users needing more granular control, iptables offers low-level rule management.

Install iptables

sudo apt update
sudo apt install iptables

Configure Rules

Add rules to allow FTP traffic:

• Control Port (21/tcp):

  sudo iptables -A INPUT -p tcp --dport 21 -j ACCEPT
  

• Data Port (20/tcp):

  sudo iptables -A INPUT -p tcp --dport 20 -j ACCEPT
  

• Passive Mode Port Range (e.g., 30000-31000):

  sudo iptables -A INPUT -p tcp --dport 30000:31000 -j ACCEPT
  

• Allow Established Connections: Ensures responses to outbound connections are allowed.

  sudo iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
  

• Reject All Other Input: Blocks unauthorized traffic by default.

  sudo iptables -A INPUT -j REJECT --reject-with icmp-host-prohibited
  

Save Rules

Debian does not save iptables rules by default. Use iptables-persistent to retain them across reboots:

sudo apt install iptables-persistent
sudo netfilter-persistent save

Confirm saving with Y.

Set Startup Script (Optional)

For systems without iptables-persistent, create a startup script:

sudo nano /etc/network/if-pre-up.d/iptables

Add the following content:

#!/bin/sh
/sbin/iptables-restore < /etc/iptables/rules.v4

Make the script executable:

sudo chmod +x /etc/network/if-pre-up.d/iptables

Verify Rules

Check applied rules:

sudo iptables -L -n -v

Ensure entries for ports 21, 20, and your passive mode range exist.

---

4. Key Considerations

• Passive Mode Port Range: Always configure a specific range in both the FTP server and firewall. Avoid using the entire 1024-65535 range to minimize exposure.
• Security Enhancements:
  • Use SFTP/FTPS: Replace FTP with SFTP (SSH-based) or FTPS (FTP over SSL/TLS) for encrypted transfers.
  • Restrict IP Access: Limit FTP access to trusted IP addresses (e.g., sudo ufw allow from 192.168.1.0/24 to any port 21/tcp).
• Testing: After applying rules, test FTP connectivity using a client (e.g., FileZilla) to confirm successful transfers in both active and passive modes.

---

By following these steps, you can secure your Debian FTP server while ensuring reliable connectivity for clients. Adjust port ranges and security settings based on your network environment and requirements.