Le 24/10/2017 à 11:42, marcfun@xxxxxxx a écrit :
[root@archlinux ~]# iptables -t raw -A OUTPUT -p tcp --dport 21 -j CT --helper ftp [root@archlinux ~]# iptables -A INPUT -m conntrack --ctstate RELATED -m helper --helper ftp -j ACCEPT [root@archlinux ~]# iptables -A INPUT -m conntrack --ctstate RELATED -j ACCEPT => That gives : [root@archlinux ~]# iptables -nvL
Please consider using iptables-save instead of iptables -L. IMO, its output is much easier to read.
I follow the conntrack events for expect with "conntrack -E expect", and i another shell I initiate a PASSIVE FTP session.
(...)
BUT in the filter table, the RELATED ctstate is not matched...
Passive FTP means that the client initiates the data connection to the server. From your first rule, I guess that the client is the local host. So shouldn't the RELATED rules also be in the OUTPUT chain instead of INPUT ?
Or use active FTP instead, so that the server initiates the data connection to the client.
-- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
