Debian FTP Server Firewall Configuration Guide
Configuring a firewall for an FTP server on Debian involves allowing the necessary ports for FTP traffic (control and data) while ensuring security—especially for passive mode connections. Below are step-by-step instructions using UFW (Uncomplicated Firewall) and iptables, the two most common firewall tools for Debian.
1. Prerequisites
Before configuring the firewall, ensure:
- The FTP server (e.g.,
vsftpd) is installed and running. - Passive mode is enabled in your FTP server configuration (critical for data transfer in modern networks). For
vsftpd, edit/etc/vsftpd.confand set:pasv_enable=YES pasv_min_port=30000 # Adjust to your desired range pasv_max_port=31000 # Adjust to your desired range - Replace
30000-31000with the port range you configure in the FTP server.
2. Using UFW (Recommended for Simplicity)
UFW simplifies firewall management with user-friendly commands. Follow these steps:
Install UFW
sudo apt update
sudo apt install ufw
Enable UFW
sudo ufw enable
Confirm enabling with Y when prompted.
Allow FTP Ports
- Control Port (21/tcp): Required for FTP command connections.
sudo ufw allow 21/tcp - Data Port (20/tcp): Required for active mode data transfers (less common in modern setups).
sudo ufw allow 20/tcp - Passive Mode Port Range: Replace
30000:31000with your FTP server’s configured range.sudo ufw allow 30000:31000/tcp
Reload UFW
Apply changes without rebooting:
sudo ufw reload
Verify Rules
Check the status to ensure rules are applied:
sudo ufw status verbose
You should see entries for ports 21/tcp, 20/tcp, and your passive mode range.
3. Using iptables (Advanced Users)
For users needing more granular control, iptables offers low-level rule management.
Install iptables
sudo apt update
sudo apt install iptables
Configure Rules
Add rules to allow FTP traffic:
- Control Port (21/tcp):
sudo iptables -A INPUT -p tcp --dport 21 -j ACCEPT - Data Port (20/tcp):
sudo iptables -A INPUT -p tcp --dport 20 -j ACCEPT - Passive Mode Port Range (e.g., 30000-31000):
sudo iptables -A INPUT -p tcp --dport 30000:31000 -j ACCEPT - Allow Established Connections: Ensures responses to outbound connections are allowed.
sudo iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT - Reject All Other Input: Blocks unauthorized traffic by default.
sudo iptables -A INPUT -j REJECT --reject-with icmp-host-prohibited
Save Rules
Debian does not save iptables rules by default. Use iptables-persistent to retain them across reboots:
sudo apt install iptables-persistent
sudo netfilter-persistent save
Confirm saving with Y.
Set Startup Script (Optional)
For systems without iptables-persistent, create a startup script:
sudo nano /etc/network/if-pre-up.d/iptables
Add the following content:
#!/bin/sh
/sbin/iptables-restore < /etc/iptables/rules.v4
Make the script executable:
sudo chmod +x /etc/network/if-pre-up.d/iptables
Verify Rules
Check applied rules:
sudo iptables -L -n -v
Ensure entries for ports 21, 20, and your passive mode range exist.
4. Key Considerations
- Passive Mode Port Range: Always configure a specific range in both the FTP server and firewall. Avoid using the entire
1024-65535range to minimize exposure. - Security Enhancements:
- Use SFTP/FTPS: Replace FTP with SFTP (SSH-based) or FTPS (FTP over SSL/TLS) for encrypted transfers.
- Restrict IP Access: Limit FTP access to trusted IP addresses (e.g.,
sudo ufw allow from 192.168.1.0/24 to any port 21/tcp).
- Testing: After applying rules, test FTP connectivity using a client (e.g., FileZilla) to confirm successful transfers in both active and passive modes.
By following these steps, you can secure your Debian FTP server while ensuring reliable connectivity for clients. Adjust port ranges and security settings based on your network environment and requirements.
以上就是关于“Debian FTP服务器防火墙设置”的相关介绍,筋斗云是国内较早的云主机应用的服务商,拥有10余年行业经验,提供丰富的云服务器、租用服务器等相关产品服务。云服务器资源弹性伸缩,主机vCPU、内存性能强悍、超高I/O速度、故障秒级恢复;电子化备案,提交快速,专业团队7×24小时服务支持!
简单好用、高性价比云服务器租用链接:https://www.jindouyun.cn/product/cvm