On Wed, Aug 15, 2018 at 08:16:29AM +0000, Vink, Ronald wrote: > I did not change any proftpd settings , they are the default installation. I have to use active connection > The suggested line " iptables -t nat -A PREROUTING -p tcp --dport 20:21 -j DNAT --to-destination 10.10.203.10" made no difference. > I started the proftpd in the foreground with debug output, but there is no output when I try to connect via 4.9.59 system, the client just times-out. > With the 3.5.4 system I can see the connection coming in and responses to "ls" command in my ftp client. > > Does it have something to do with conntrack ? Did you add the rule to enable the FTP conntrack helper? https://home.regit.org/netfilter-en/secure-use-of-helpers/ Otherwise, there's a fallback to reenable the unsecure behaviour: echo 1 > /proc/sys/net/netfilter/nf_conntrack_helper but that may go away at some point.
