Re: nf_conntrack_helper replacement?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Fix it!!!

Now to try and figure out nftables!

This was the missing link:
   $tbls -t raw -A OUTPUT -p tcp --dport 21 -j CT --helper ftp

Thank you all for the help!

Here are my new rules:

-T

# FTP Passive Mode stuff
#  raw:
#
#  This  table  is  used mainly for configuring exemptions from
#  connection tracking in combination with the NOTRACK  target.
#  It registers at the netfilter hooks with higher priority and
#  is thus called before ip_conntrack, or any other IP  tables.
#  It  provides  the following built-in chains: PREROUTING (for
#  packets arriving via  any  network  interface)  OUTPUT  (for
#  packets generated by local processes)
#
## this is a defunct method as of kernel 6.0.1 to assist with active ftp connection 
# if [ "$(cat /proc/sys/net/netfilter/nf_conntrack_helper)" == "0" ]; then
#   echo "echo 1 > /proc/sys/net/netfilter/nf_conntrack_helper"
#   echo 1 > /proc/sys/net/netfilter/nf_conntrack_helper
# fi

# https://bbs.archlinux.org/viewtopic.php?id=148345
$tbls -t raw -A OUTPUT -p tcp --dport 21 -j CT --helper ftp
$tbls -A dsl-out -o $eth1 -p tcp -s $eth1_addr --sport $unassgn --dport ftp -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT $tbls -A dsl-in -i $eth1 -p tcp --sport ftp -d $eth1_addr --dport $unassgn -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT $tbls -A dsl-for -i $eth1 -p tcp --sport ftp -d $internal_net --dport $unassgn -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT $tbls -A dsl-out -o $eth1 -p tcp -s $eth1_addr -d $ANY_IP -m helper --helper ftp -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT $tbls -A dsl-in -i $eth1 -p tcp -s $ANY_IP -d $eth1_addr -m helper --helper ftp -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT $tbls -A dsl-for -i $eth1 -p tcp -s $ANY_IP -d $internal_net -m helper --helper ftp -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
$tbls -A dsl-out -o $eth1 -p udp -s $eth1_addr --sport $unassgn --dport ftp -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT $tbls -A dsl-in -i $eth1 -p udp --sport ftp -d $eth1_addr --dport $unassgn -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT $tbls -A dsl-for -i $eth1 -p udp --sport ftp -d $internal_net --dport $unassgn -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT $tbls -A dsl-out -o $eth1 -p udp -s $eth1_addr -d $ANY_IP -m helper --helper ftp -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT $tbls -A dsl-in -i $eth1 -p udp -s $ANY_IP -d $eth1_addr -m helper --helper ftp -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT $tbls -A dsl-for -i $eth1 -p udp -s $ANY_IP -d $internal_net -m helper --helper ftp -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux