and, worse, since the control channel is encrypted, this can't be done via a port monitor that sniffs and modifies 'port' commands, so this causes problems at BOTH ends of a NAT
Could it be that the iptables ftp conntrack and nat modules does not work with ftps because of this ?
It is possible to instruct the FTPS client to keep the control channel in the clear so that firewalls that need to adjust to the ports being used can listen in on the conversation. The FTPS server has to agree to allow this to happen.