iptables FTP connection tracking not working

I am hoping someone can point me in the right direction here please.

Running proftpd (with tls support) on a public IP.

FTP client connects, but can't do a directory listing. When I change the "INPUT" policy on iptables to ACCEPT, it does work.

The following is my relevant iptables rules:

$IPTABLES -A INPUT -i eno1 -s 0/0 -d x.x.x.x -p tcp --sport 1024:65535 -m multiport --dports 20,21,989,990 -m state --state NEW,ESTABLISHED -j ACCEPT
$IPTABLES -A INPUT -p tcp -s 0/0 --sport 1024:65535 -d x.x.x.x --dport 1024:65535 -m state --state ESTABLISHED,RELATED -j ACCEPT

I have the connection_tracking modules enabled.

server ~ # lsmod | grep nf_conntra
nf_conntrack_ftp       24576  3
nf_conntrack          176128  8 xt_conntrack,nf_nat,xt_state,xt_nat,xt_helper,nf_conntrack_ftp,xt_CT,xt_MASQUERADE
nf_defrag_ipv6         24576  1 nf_conntrack
nf_defrag_ipv4         16384  1 nf_conntrack
libcrc32c              16384  2 nf_conntrack,nf_nat

I also have nf_conntrack_helper enabled in /proc

server ~ # cat /proc/sys/net/netfilter/nf_conntrack_helper
1

proftpd (with tls support)

That TLS support is probably the culprit.

Normally in an intelligent firewall when you allow FTP you need to open the port for the control connection, TCP 21 and then, in the clear text FTP protocol, the conntrack modules can scan for and detect the PORT response. An FTP conntrack helper module will then automatically open up the port number that gets assigned by the FTP server to that specific client, as related, allowing for quit granular access control.

When the connection is encrypted with TLS the firewall can't detect the PORT response anymore and therefor not automatically open the assigned port. The solution for that is to :

• fix the range of ports the FTP server will use for passive connections to a small range
  PassivePorts min-pasv-port max-pasv-port

• in your firewall open both port 21 and that fixed range of ports for data connections