Usually, if a client is behind firewall, they can only trasfer files via a passive ftp connection.
Edit /etc/proftpd.conf and specify the passive ports range. Place it in the 'Global' container:
</Global>
...
...
# Use the IANA registered ephemeral port range
PassivePorts 49152 65534
</Global>
Reference: proftpd.org
Load the ip_conntrack_ftp module and iptables rules, so the ports automatically open to the connected client:
# /sbin/modprobe ip_conntrack_ftp
# lsmod | grep conntrack_ftp
ip_conntrack_ftp 41489 0
ip_conntrack 91237 4 xt_state,xt_conntrack,ip_conntrack_ftp,ip_conntrack_irc
Add the below iptables rules:
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
If the server is beind NAT, ip_nat_ftp module also should be loaded:
# /sbin/modprobe ip_nat_ftp
conntrack and ftps
Connection tracking will not work with secure ftp protocol using TLS/SSL and the specific passive ports will need to be opened at the firewall.