spaminator@xxxxxx wrote:
Rebooting the bridge box left me again with an unloaded ip_conntrack_ftp. So I made an entry in /etc/modules which caters for the module to be loaded on (re)boot. Strange thing that, because other modules related to iptables are being loaded automatically, although they are not compiled into the kernel too. Are there other "surprise"-modules that have to be loaded via /etc/modules?
All the ip_conntrack_* modules, so all the connection helpers. You could load them all, but I only load what I need.
These modules are what account for (most of the) -m state --state RELATED matches. Related in this case are all the data connections for ftp, so you don't need any rule for those data connections.
IOW to make ftp work you need: - To load ip_conntrack_ftp - Have a rule that allows ESTABLISHED,RELATED - Have a rule that allows the initial SYN to port 21. HTH, M4
