Hi List, When I load nf_conntrack with modprobe --first-time nf_conntrack nf_conntrack_helper=0 as described in the document "Secure use of iptables and connection tracking helpers" and use the CT target in the raw table to attach the ftp helper to specific flows then everything is working when the corresponding firewalls are either on the client side or on the server side AND they are directly connected. But, when there is a gateway between them which is performing SNAT then active ftp works only when nf_conntrack is loaded without the module parameter mentioned in $SUBJECT. There is no filtering on the gw. To be more precise the problem is that the server is considering the client's PORT command as ILLEGAL, because it contains the client's own IP address. Seems like that nf_nat_ftp is not triggered in this case. Is there a way to get it working using -j CT somewhere on the gateway also? nf_nat_ftp also does not accept the "ports" parameter since 2.6.10. My kernel version is 3.11. -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
