iptables FTP connection tracking not working
Solution 1:
proftpd (with tls support)
That TLS support is probably the culprit.
Normally in an intelligent firewall when you allow FTP you need to open the port for the control connection, TCP 21 and then, in the clear text FTP protocol, the conntrack modules can scan for and detect the PORT
response. An FTP conntrack helper module will then automatically open up the port number that gets assigned by the FTP server to that specific client, as related, allowing for quit granular access control.
When the connection is encrypted with TLS the firewall can't detect the PORT response anymore and therefor not automatically open the assigned port. The solution for that is to :
-
fix the range of ports the FTP server will use for passive connections to a small range
PassivePorts min-pasv-port max-pasv-port
-
in your firewall open both port 21 and that fixed range of ports for data connections