IPtable randomly drops FTP connection on non-standard port


I have got a major issue with NAT IPtables and FTP service on non-standard port.

Typically I am using a proprietary FTP server software that listen on TCP 2121 port (I don’t want to run this FTP service with root right so I use port greater than 1024).

To provide a smoothly integration with FTP user getting used to TCP 21 port, I applied local IPTables rules to NAT
TCP 21 DEST to TCP 2121
TCP 2020 SOURCE (port set on the server preferences for active FTP) to TCP 20 SOURCE

This is a sample of my IPtables rules :

iptables -t nat -A PREROUTING -p tcp -d -m tcp --dport 21 -j DNAT --to
iptables -t nat -A POSTROUTING -p tcp -s -m tcp --sport 2020 -j SNAT --to

(I do the same thing to NAT TCP 990 DEST to TCP 9990 for FTPS connection)

The problem is when I use these rules, FTP clients ramdomly get disconnected by iptables during passive transfer (disconnect log in Filezila FTP client and TCP RST received from the server) while on FTP server software, the connection seems to be maintained (no log displaying a client disconnect or similar thing)

That means when FTP client tries to resume the transfer due to the disconnect it failed because on FTP server side a connection with the FTP user was still in use.

Once I disable these iptables rules and run the FTP server as a root to allow listening on TCP 20/21 port, this issue disapears.
More, even though iptables rules are enable, I don’t experience troubles with FTPS transfer as if iptable was not able to inspect encrypted trafic.

Has someone an idea about what’s wrong?

For information, I am using 3.12.28-4-default kernel and Suse Enterprise Server 12

Thank you very much for your support

These forums are for openSUSE, not SLES.

If you’re using a web browser to access these forums, see the Forum listed at the bottom, it will link you to the SUSE forums.

To answer your question which is not OS-specific,
You’appear to be configuring Active FTP ports (A single port for your data).
PASV FTP uses the same control port as Active FTP (port 21) but then uses a range of high ports for the data transfer, ie instead of sharing the same data port, each FTP client is assigned a different data port. To implement this, you need to first configure your FTP app accordingly to use a specified range, and then you need to open up that same range in your iptables (or use SUSEFW). I don’t know that although Ipv2 is now implemented and is supposed to support stateful packet inspection that it knows how to open only the port in the specified range instead of opening the entire range always.



Thank you for your support,

FTP passive port are correctly configured since in some condition or from some nodes, I can initiate FTP passive connection without experiencing any issue.

When I run a tcpdump on the server, I can see TCP RST sent only after the server issues a TCP Retransmission and then receive an out-of-order TCP segment from the FTP client.

Have you an idea about this?

You haven’t posted near enough of your iptables configuration to determine whether what you configured was done correctly. Also, you should post a link to any guide or reference you may be using.

IMO the following is a configuration which should work for you, you can modify the control port (port 21) if you wish.

Note also…

  1. You need to configure your FTP app properly, specifying your PASV data port range. How you do this depends on which FTP app you’re using and possibly using the YAST FTP tool (recommended if the app you’re using supports).

  2. As described towards the end of the link I provided, you need to verify the ip_conntrack_ftp module is enabled. And, the ip_nat_ftp module enabled.