FTP uses 2 ports to connect, 1 for the control and the other for data transfer. You connect with the inital control port, then then once auth'd you go to the data channel to do your data transfers/directory listing. This doesn't work through a NAT firewall directly.
To resolve this issue, you have to put everything in passive mode (server and client). You have to tell the server it's behind a NAT firewall (so you give the external IP/port range to the client rather than the internal), and you have to tell the client to connect via passive connections.
firewall config first!
-A PREROUTING -i eth2 -p tcp --dport xxxx -j DNAT --to-destination local-server-ip
-A PREROUTING -i eth2 -p tcp --dport yyyyy:zzzzz -j DNAT --to-destination local-server-ip
The important bits from proftpd.conf
RequireValidShell off
MasqueradeAddress ftp.server.com
MasqueradeAddress ftp.server.com
<IfModule mod_dynmasq.c>
DynMasqRefresh 14400
</IfModule>
PassivePorts yyyyy zzzzz (check the ports you allocated in teh firewall!)
DynMasqRefresh 14400
</IfModule>
PassivePorts yyyyy zzzzz (check the ports you allocated in teh firewall!)
TLS.conf
How to setup SSL/TLS on proftpd
There are many articles on the net to create a cert... here's one f them...
http://www.howtoforge.com/proftpd-tls-debian-etch
