Hello,

I have got a major issue when I use FTP service on a non-standard port.

My FTP service is a proprietary solution but it doesn't matter. I just run it with a non-root user and make it listen on port higher than 1024.

To accomplish this, I run iptables rules locally on my server to forward traffic
to TCP 21 to 2121 for instance
from TCP 2020 (active port set on my FTP server) to TCP 20

This is a sample of iptables rules

iptables -t nat -A PREROUTING -p tcp -d 192.168.0.5 -m tcp --dport 21 -j DNAT --to 192.168.0.5:2121
iptables -t nat -A POSTROUTING -p tcp -s 192.168.0.5 -m tcp --sport 2020 -j SNAT --to 192.168.0.5:20

The problem is when I use these rules, for an unknown reason, iptable randomly drops client's FTP passive connection (get disconnected from Filezila FTP client) while connection is still maintained on server side

This cause troubles because when Filezila try to resume the connection, errors are experienced on server side which has ever a related connection in use.

Once I disable these NAT rules and configure my FTP server to listen on TCP 21 port and use TCP 20 source port (require root permission), this issue disapears.

More, regardless of iptable activation, FTPS transfers always works fine as if iptable was not able to inspect encrypted traffic.

Have you ever came across this issue? Or has someone an idea about what's wrong?

Thank you very much for your support