I know the problem is because a nonexistent iptables rule, i'm just at a
loss as to what the missing rules should look like. The only thing that is different in this case is that I need to use port 221 for FTP instead of 21, and I don't see why this should require special routing. ftp_conntrack modules are loaded. This is the relevant part of my current firewall script.
Since you are using non-standard port, you need to tell connection tracking and NAT modules ports they need to watch (by default, they watch only port 21):
# modprobe ip_conntrack_ftp ports=21,221
Depending on your network configuration, you may or may not need additional ports for ip_nat_ftp. If you are running ftp server on your NAT-ing firewall (as it appears to be the case), you don't need it, since no NAT-ing is occuring for incomming traffic. If your FTP server is behind the firewall (DNAT), than you would need to instruct ip_nat_ftp about changed port too.
In case you need it, here's the line:
# modprobe ip_nat_ftp ports=21,221
Make sure you first load ip_conntract_ftp (since ip_nat_ftp would cause ip_conntract_ftp to be autoloaded, probably with default port number).
Note that you'll need to unload those two modules prior to doing modprobe (if they were already loaded).
-- Aleksandar Milivojevic <amilivojevic@xxxxxx> Pollard Banknote Limited Systems Administrator 1499 Buffalo Place Tel: (204) 474-2323 ext 276 Winnipeg, MB R3T 1L7
