Ah, damn! I read that months ago and added a note to self in my documentation, but missed it. Thank you very much for your help!
Regards. Le vendredi 15 décembre 2017 à 17:16 +0300, Reco a écrit : > Hi. > > On Fri, Dec 15, 2017 at 02:46:16PM +0100, David Guyot wrote: > > Hello, there. > > > > I'm running a Pure-FTPd service, with passive FTP, and I > > encountered > > what seems to be a defect in the nf_conntrack_ftp module: it seems > > to > > not recognize the passive FTP data connection as RELATED to the > > established control connection. > > And it should not, as they disabled automatic assignment of conntrack > helper modules back in mainline kernel version 3.5. > Also, see Debian bug #870484. > > What you need to make it work is the set of these netfilter rules: > > -t raw -A PREROUTING -p tcp --dport 21 -j CT --helper ftp > > -A INPUT -p tcp -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT > -A INPUT -i ens3 -p tcp --dport 21 -j ACCEPT > > Remove nf_conntrack_ftp from /etc/modules (loading netfilter rule > will > take care of this module), and exterminate these: > > > -A INPUT -i ens3 -p tcp -m tcp --dport 50000:50500 -m state --state > > RELATED,ESTABLISHED -j ACCEPT > > -A OUTPUT -o ens3 -p tcp -m tcp --sport 50000:50500 -m state -- > > state > > RELATED,ESTABLISHED -j ACCEPT > > Reco > -- David Guyot Administrateur système / Sysadmin Europe Camions Interactive / Stockway Moulin Collot F-88500 Ambacourt Tél : +33 (0)3 29 30 47 85
signature.asc
Description: This is a digitally signed message part
