Debian FTP Server Firewall Configuration Guide

Configuring a firewall for an FTP server on Debian involves allowing the necessary ports for FTP traffic (control and data) while ensuring security—especially for passive mode connections. Below are step-by-step instructions using UFW (Uncomplicated Firewall) and iptables, the two most common firewall tools for Debian.

1. Prerequisites

Before configuring the firewall, ensure:

• The FTP server (e.g., vsftpd) is installed and running.
• Passive mode is enabled in your FTP server configuration (critical for data transfer in modern networks). For vsftpd, edit /etc/vsftpd.conf and set:

  pasv_enable=YES
  pasv_min_port=30000  # Adjust to your desired range
  pasv_max_port=31000  # Adjust to your desired range
  

• Replace 30000-31000 with the port range you configure in the FTP server.

2. Using UFW (Recommended for Simplicity)

UFW simplifies firewall management with user-friendly commands. Follow these steps:

Install UFW

sudo apt update
sudo apt install ufw

Enable UFW

sudo ufw enable

Confirm enabling with Y when prompted.

Allow FTP Ports

• Control Port (21/tcp): Required for FTP command connections.

  sudo ufw allow 21/tcp
  

• Data Port (20/tcp): Required for active mode data transfers (less common in modern setups).

  sudo ufw allow 20/tcp
  

• Passive Mode Port Range: Replace 30000:31000 with your FTP server’s configured range.

  sudo ufw allow 30000:31000/tcp
  

Reload UFW

Apply changes without rebooting:

sudo ufw reload

Verify Rules

Check the status to ensure rules are applied:

sudo ufw status verbose

You should see entries for ports 21/tcp, 20/tcp, and your passive mode range.

3. Using iptables (Advanced Users)

For users needing more granular control, iptables offers low-level rule management.

Install iptables

sudo apt update
sudo apt install iptables

Configure Rules

Add rules to allow FTP traffic:

• Control Port (21/tcp):

  sudo iptables -A INPUT -p tcp --dport 21 -j ACCEPT
  

• Data Port (20/tcp):

  sudo iptables -A INPUT -p tcp --dport 20 -j ACCEPT
  

• Passive Mode Port Range (e.g., 30000-31000):

  sudo iptables -A INPUT -p tcp --dport 30000:31000 -j ACCEPT
  

• Allow Established Connections: Ensures responses to outbound connections are allowed.

  sudo iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
  

• Reject All Other Input: Blocks unauthorized traffic by default.

  sudo iptables -A INPUT -j REJECT --reject-with icmp-host-prohibited
  

Save Rules

Debian does not save iptables rules by default. Use iptables-persistent to retain them across reboots:

sudo apt install iptables-persistent
sudo netfilter-persistent save

Confirm saving with Y.

Set Startup Script (Optional)

For systems without iptables-persistent, create a startup script:

sudo nano /etc/network/if-pre-up.d/iptables

Add the following content:

#!/bin/sh
/sbin/iptables-restore < /etc/iptables/rules.v4

Make the script executable:

sudo chmod +x /etc/network/if-pre-up.d/iptables

Verify Rules

Check applied rules:

sudo iptables -L -n -v

Ensure entries for ports 21, 20, and your passive mode range exist.

4. Key Considerations

• Passive Mode Port Range: Always configure a specific range in both the FTP server and firewall. Avoid using the entire 1024-65535 range to minimize exposure.
• Security Enhancements:
  • Use SFTP/FTPS: Replace FTP with SFTP (SSH-based) or FTPS (FTP over SSL/TLS) for encrypted transfers.
  • Restrict IP Access: Limit FTP access to trusted IP addresses (e.g., sudo ufw allow from 192.168.1.0/24 to any port 21/tcp).
• Testing: After applying rules, test FTP connectivity using a client (e.g., FileZilla) to confirm successful transfers in both active and passive modes.

By following these steps, you can secure your Debian FTP server while ensuring reliable connectivity for clients. Adjust port ranges and security settings based on your network environment and requirements.