Active and Passive mode communicate differently.
In Passive mode, your computer connects to port 21, then makes a second outbound connection to the server to transfer data.
In Active Mode your computer connects to port 21 on the server, and the server then communicates back from port 20 to your computer.
This all means that passive mode is easier to program, because simple firewalls and NAT gateways tend to allow anything to leave the network, but only related connections to return. In the case of an active mode connection, the router needs to do connection tracking to associate the 2 connections, and this is failing. You are almost certainly running into this problem.
In addition to port forwarding you will need to load connection tracking (and probably FTP connection tracking) modules. This will vary depending on your host OS, but could be nf_conntrack_ftp or nf_nat_ftp under Linux.
First note that the two final commands, PORT and PASV, have nothing to do with each other. They're two independent connection attempts (one for active FTP, one for passive FTP).
So, your PORT failure is expected.
The way PORT
works (the "active FTP" mode) is by having the client send its own address to the server ā the server connects back to you for data transfer.
According to the logs, your client computer is behind a NAT and has a "private" IP address. That's the only address it knows, so that's what it sends with the PORT command.
Usually, your router would recognize an FTP connection and sneakily edit the PORT command, replacing your private address with the router's own public one. (Or, if you're unlucky, it would replace it with garbage.)
However, since your control connection is now encrypted using TLS, the router cannot perform this fixup (all it sees is encrypted data), and the server receives exactly what your client sends: your private address.
Since the server is on another network, it cannot possibly reach a private address (that's the whole point of NAT). Although it doesn't even bother trying ā for security reasons, most servers just immediately refuse any address that doesn't exactly match where the control connection came from.
tl;dr Switch your FTP client to passive mode. Yes, your logs show passive mode (PASV) being broken as well. But at least it's somewhat fixable if your server has a dedicated public IP address, whereas active mode is not.
What about PASV? Well, the problem is similar.
Usually, your server's firewall would snoop on the FTP control connection, extract the temporary port from the "Entering passive mode (x,y,zā¦)" reply, and mark it as belonging to a "RELATED" connection. Then your rule #004 would allow it.
However, again, iptables cannot see through TLS (all it sees is encrypted data) and can no longer recognize your FTP data connections as related. So your connection just hits rule #999 and is dropped.
To make PASV work, you will need to configure ProFTPd to use a specific range of passive ports (doesn't matter what range exactly), and tell iptables to allow connections to those ports.
Best Answer
FTP uses two connections, one for data and one for commands. The
PassivePorts
configuration is the range of ports to be used for passive FTP data transfers.The Virtualbox network configuration allows you to enter single ports to forward, but not ranges. So, in order for passive-mode FTP to work, the passive ports must be forwarded individually.
If you don't expect more than 5 simultaneous data transfers (and clients like Filezilla will open 1 data connection per file and per directory listing) then change the server configuration to use a range of 5 ports (e.g. 1025-1030) and forward those five ports in the Virtualbox configuration. For 10 connections use a 10 port range, etc.