There is a simple solution!


Since we are using a stateful firewall and iptables has a connectiontracking module for keeping track of ftp sessions it's very easy to fix.

The module is called ip_conntrack_ftp and it keeps track of ftpsessions and marks the first packet in an ftp-data connection as RELATED

So replace the --state ESTABLISHED with --state ESTABLISHED,RELATED in the previous ruleset.