Conntrack doesn't work by default on kernels 4.7+
Posted: 29 Sep 2017, 13:22
Hello,
A few weeks ago I upgraded my system from Debian Jessie 8 to Debian Stretch 9 but till yesterday I didn't notice this issue. I tried to connect to an external ftp and I connect but it is not possible to list the directory contents, strange because before the upgrade with the same CSF conf I was able to connect to this ftp. I double check CSF conf and the port 21 is in TCP_OUT, SPI enabled, CONNTRACK used... all good (it was working before OS upgrade). If I stop CSF, the connection to this ftp is perfect so I performed several tests an my conclusion was that there was some issue with the conntrack configuration.
I spent a few hours till I checked whether nf_conntrack_helper was active, it was active by default in Debian Jessie 8 (kernel 3.16) but it isn't in Debian Stretch 9 (kernel 4.9).
Knowing that, I found that from Kernel 4.7 , this module is disabled by default because it could be a security risk.
So, we have two options to keep connection tracking working again.
Option 1 (not recommended) - Enable nf_conntrack_helper by default.
In my OS (Debian Stretch 9) to activate it we just need this:
Reboot and problem solved.
Option 2 (recommended) - Enable via iptables only the required helper, in my case, ftp helper. So I've created /etc/csf/csfpost.sh file to load my two new rules.
For inbound connections to our ftp server:
If we are using IPv6:
For outbound connections to other ftp servers:
If we are using IPv6:
With these rules, conntrack for ftp works fine again.
I suppose CSF should deal with this issue on Kernels 4.7+ and should be able to load the required helper via iptables.
Appreciate your work.
Thank you very much.
Cheers,
sahsanu
A few weeks ago I upgraded my system from Debian Jessie 8 to Debian Stretch 9 but till yesterday I didn't notice this issue. I tried to connect to an external ftp and I connect but it is not possible to list the directory contents, strange because before the upgrade with the same CSF conf I was able to connect to this ftp. I double check CSF conf and the port 21 is in TCP_OUT, SPI enabled, CONNTRACK used... all good (it was working before OS upgrade). If I stop CSF, the connection to this ftp is perfect so I performed several tests an my conclusion was that there was some issue with the conntrack configuration.
I spent a few hours till I checked whether nf_conntrack_helper was active, it was active by default in Debian Jessie 8 (kernel 3.16) but it isn't in Debian Stretch 9 (kernel 4.9).
Code: Select all
# sysctl -a 2>/dev/null | grep conntrack_helper
net.netfilter.nf_conntrack_helper = 0So, we have two options to keep connection tracking working again.
Option 1 (not recommended) - Enable nf_conntrack_helper by default.
In my OS (Debian Stretch 9) to activate it we just need this:
Code: Select all
echo 'options nf_conntrack nf_conntrack_helper=1' > /etc/modprobe.d/nf_conntrack.confOption 2 (recommended) - Enable via iptables only the required helper, in my case, ftp helper. So I've created /etc/csf/csfpost.sh file to load my two new rules.
For inbound connections to our ftp server:
Code: Select all
iptables -t raw -A PREROUTING -p tcp --dport 21 -j CT --helper ftpCode: Select all
ip6tables -t raw -A PREROUTING -p tcp --dport 21 -j CT --helper ftpFor outbound connections to other ftp servers:
Code: Select all
iptables -t raw -A OUTPUT -p tcp --dport 21 -j CT --helper ftpCode: Select all
ip6tables -t raw -A OUTPUT -p tcp --dport 21 -j CT --helper ftpI suppose CSF should deal with this issue on Kernels 4.7+ and should be able to load the required helper via iptables.
Appreciate your work.
Thank you very much.
Cheers,
sahsanu