How to Block Ftp Access using Iptables Or CSF?

[whUK-Reeve]

Block FTP access using the IPtables(Default system firewall)

1) If you want to completely disable the FTP access on the server then run the command :

Quote:

root@server[#] iptables -A INPUT -p tcp –dport 21 -j DROP

2) If you want to block FTP access for a Specific IP then run the below command :

Quote:

root@server[#] iptables -A INPUT -p tcp -s 127.0.0.1 –dport 21 -j DROP

3) If you want to Disable FTP access for Specific Subnet then run the below command :

Quote:

root@server[#] iptables -I INPUT -p tcp -s 127.0.0.1/24 –dport 21 -j DROP

After adding the adding rules you need to save the rules by running the command :

Quote:

root@server[#] /etc/init.d/iptables save

Then to apply the above saved rules , restart the IPtables by running the command :

Quote:

root@server[#] /etc/init.d/iptables restart

Block FTP access using the CSF firewall

1) If you want to completely disable the FTP access on the server then follow the steps :

Quote:

root@server[#] vi /etc/csf/csf.conf

Search for the lines :
# Allow incoming TCP ports
TCP_IN =
and remove the port 21 from the list
Save and quit .

2) If you want to block FTP access for a Specific IP then follow the below steps :

Quote:

root@server[#] vi /etc/csf/csf.deny

and add the line :
tcp:in:d=21:s=127.0.0.1

save and quit

3) If you want to allow FTP access for only one ip on the server and denied for all other ips
follow the steps :

Quote:

root@server[#] vi /etc/csf/csf.conf

Then search for the line :
# Allow incoming TCP ports
and the remove the ports : 21 and 22

and also search for the line :

# Allow outgoing TCP ports
and remove the ports : 21 and 22
Save and quit

Then open the csf.allow file

Quote:

root@server[#] vi /etc/csf/csf.allow
and add the entry as :

tcp:in:d=21:s=127.0.0.1
Save and Quit.

And then restart the CSF service

Quote:

root@server[#] csf -r

That's all you are done.