On 2020-11-06 11:43, Sven Hartge wrote:
Jesper Dybdal <jd-debian-u...@dybdal.dk> wrote:
* The CT target, to add the ftp helper. I fixed that by adding a bit of
native nft with the nft command after all the iptables(-nft) commands.
For the sake of the archive and people looking at this thread hoping for
some insight, please post your native nft rules you created.
Here they are (I'm afraid I can't remember which websites I got the
inspiration from):
table ip myhelpers {
ct helper ftp-standard {
type "ftp" protocol tcp
}
chain input {
type filter hook prerouting priority 0;
tcp dport 21 ct helper set "ftp-standard" counter
}
chain output {
type filter hook output priority 0;
tcp dport 21 ct helper set "ftp-standard" counter
}
}
I loaded them after all the iptables-nft rules with the commands:
# Delete any existing myhelpers tables, ignoring possible failure for an
non-existent table:
nft delete table myhelpers >/dev/null 2>&1
# Load the myhelpers table shown above:
nft -f myhelpers.nft
This seems to work.
--
Jesper Dybdal
https://www.dybdal.dk
