Vink, Ronald <ronald.vink@xxxxxxxxxxxx> asked: > I want to forward ftp traffic from outside to a server in a local network. > I am using active ftp connection. > It is working with a 3.5.4 kernel system, but not on a newer 4.9.59 Starting with Linux 4.9, conntrack helper modules behave differently than before. The module needs to be loaded, of course, using "modprobe nf_conntrack_ftp" or something like this. Then you can activate the old behaviour using "sysctl -w net.netfilter.nf_conntrack_helper=1" or use the helper by adding a rule in the raw table like this: *raw :PREROUTING ACCEPT [764:66450] :OUTPUT ACCEPT [671:1021727] -A PREROUTING -p tcp -m tcp --dport 21 -j CT --helper ftp COMMIT *filter :INPUT DROP [22:2928] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [446:63567] -A INPUT -i lo -j ACCEPT -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A INPUT -p tcp -m tcp --dport 21 -m conntrack --ctstate NEW -j ACCEPT COMMIT Best regards, i.A. Thomas Bätzler -- BRINGE Informationstechnik GmbH Zur Seeplatte 12 D-76228 Karlsruhe Germany Fon: +49 721 94246-0 Fon: +49 171 5438457 Fax: +49 721 94246-66 Web: http://www.bringe.de/ Geschäftsführer: Dipl.-Ing. (FH) Martin Bringe Ust.Id: DE812936645, HRB 108943 Mannheim
Attachment:
smime.p7s
Description: S/MIME cryptographic signature
