Isn't IPTables great? You read and you read and you tinker and you work it out, and suddenly everything drops in to place and it seems like the most obvious way for a firewall to work.
And then, because it works, you don't touch it for a year...
So here is how to set up for FTP access, both Active and Passive, in three lines:
iptables -A INPUT -p tcp --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp -m state --state RELATED -j ACCEPT
What's this up to? Allow anything in to the FTP control port if it is part of a NEW or ESTABLISHED connection.
Then allow anything in for anything at all which is RELATED.
But what is RELATED? This is where the nf_conntrack_ftp module comes in. Just by loading this module, IPTables sits there looking at every incoming and outgoing packet and inspecting at a high level for FTP commands and tagging the packets. If a packet comes in for a PORT command which has been agreed as part of the original port 21 FTP Control connection, it is tagged as RELATED and the RELATED match / rule lets it back in. It really is that easy.
While we're here, let's cover setting up a nice, secure FTP server for web / vhost access:
* apt-get install vsftp
* Edit /etc/vsftp.conf: turn off anonymous. Set umask to 022. Allow "normal" user login. Set chroot option.
* Edit /etc/pam.d/vsftp, comment the first "pam_listfile" line and add:
auth required pam_listfile.so item=group sense=allow file=/etc/ftpgroups onerr=succeed
* Create /etc/ftpgroups, add the single line: ftpusers
* Add system group ftpusers: groupadd ftpusers
* Add a user and put them in the group: useradd myftpuser; adduser myftpuser ftpusers;
* Edit /etc/password and set "myftpuser"'s home dir to the appropriate vhost
* Set perms on vhost directory such that it is writable by your user
* Set a password for myftpuser
* Restart vsftp
* Edit /etc/fail2ban/jail.conf: in Ubuntu there is a section for vsftp already, just set "Enabled" to "true. This converts multiple failed attempts to authenticate to firewall blocks, stopping kiddie scripts
* Restart fail2ban
* Test - ftp in both Active and Passive mode and make sure you can GET and PUT files. Check also that no other users can log in.
So now you have vsftp configured such that only members of the ftpusers group can log in, and when they do, they will be stuck in their own home dir - the vhost they can access - and any files they upload will automatically be world readable. Also, fail2ban will stop anyone trying to brute-force your server.