Nftables issue with ftp firewall and conntrack

Question

With the following rules inside the nftables input chaing:

tcp dport 21 ct state established,new counter accept
tcp dport 20 ct state established,related counter accept
tcp dport 1024-65535 ct state established,related counter accept

The pasive FTP connections can login but the data connection can't be established.

score 1 · Answer 1 · answered Oct 27 '17 at 06:36

1

In recent kernels (>4.7) it's necessary to load the following module:

modprobe nf_conntrack_ftp

And enable the helper:

echo 1 > /proc/sys/net/netfilter/nf_conntrack_helper

answered Oct 27 '17 at 06:36

rfmoz

694
9
15

See also https://home.regit.org/netfilter-en/secure-use-of-helpers/ . Since nft 0.8 a similar usage (with some priority differences) is done: https://manpages.debian.org/testing/nftables/nft.8.en.html#CT – A.B May 10 '18 at 19:13

Nftables issue with ftp firewall and conntrack

1 Answers1

Linked