iptables FTP connection tracking not working

iptables ftp conntrack proftpd nf-conntrack

Solution 1:

proftpd (with tls support)

That TLS support is probably the culprit.

Normally in an intelligent firewall when you allow FTP you need to open the port for the control connection, TCP 21 and then, in the clear text FTP protocol, the conntrack modules can scan for and detect the PORT response. An FTP conntrack helper module will then automatically open up the port number that gets assigned by the FTP server to that specific client, as related, allowing for quit granular access control.

When the connection is encrypted with TLS the firewall can't detect the PORT response anymore and therefor not automatically open the assigned port. The solution for that is to :

  • fix the range of ports the FTP server will use for passive connections to a small range
    PassivePorts min-pasv-port max-pasv-port

  • in your firewall open both port 21 and that fixed range of ports for data connections

Related

How to correctly route a Gitlab installation in a subdirectory through an SSL reverse proxy?
Nginx multiple IPs to origin
Own puppet function
Cannot get latest-version package from multiple yum repos
Why doesn't nginx like my $args?
how do I convert a live root ext3 filesystem to ext4?
What can prevent a Server 2008 machine accessing its OWN UNC shares?
How to reset service permissions after messing up with `sc sdset`?
Can I have a class A and class B on same switch?
Server is listening in Port 110 and I can't find any way to disable or block it
CentOS PCI Compliance assessment
Free or very Cheap VPN server software with high concurrent users count [closed]