There are two schools of thought around writing rules...
1. Block everything, make rules for every instance that is allowed, "DENY POLICY"
2. Block unwanted traffic, "ALLOW POLICY"
And of course you must do both...
If all you have open on your box is ssh & ftp, you have a couple of choices.
This
tutorial needs to be read, then make some rules...
1. A public FTP server is a security and management risk. If you already know the people, use the SFTP server in the Openssh server and close down their user priveleges...
2. There are a lot of protection rules to go in first.
3. OUTPUT chain. If you can't trust what the box itself is transmitting, get it off the Internet. You can add OUTPUT rules if you cannot control the servers on the box.
4. INPUT/OUTPUT chains are for packets to/from the box's servers, FORWARD for the LAN behind the box, so the "-d $EXTERNAL" won't work in the INPUT chain, likewise the "-i" won't work in the OUTPUT chain.
5. Passive FTP uses only port 21
6. ip_conntrack_ftp does the state matching for Active FTP ports 21 & 20
There are a lot of good scripts in the tutorial.