Conntrack doesn't work by default on kernels 4.7+

3 posts Page 1 of 1
sahsanu
Junior Member
Posts: 3
Joined: 28 Sep 2017, 22:48


Hello,

A few weeks ago I upgraded my system from Debian Jessie 8 to Debian Stretch 9 but till yesterday I didn't notice this issue. I tried to connect to an external ftp and I connect but it is not possible to list the directory contents, strange because before the upgrade with the same CSF conf I was able to connect to this ftp. I double check CSF conf and the port 21 is in TCP_OUT, SPI enabled, CONNTRACK used... all good (it was working before OS upgrade). If I stop CSF, the connection to this ftp is perfect so I performed several tests an my conclusion was that there was some issue with the conntrack configuration.

I spent a few hours till I checked whether nf_conntrack_helper was active, it was active by default in Debian Jessie 8 (kernel 3.16) but it isn't in Debian Stretch 9 (kernel 4.9).
Code: Select all
# sysctl -a 2>/dev/null | grep conntrack_helper
net.netfilter.nf_conntrack_helper = 0
Knowing that, I found that from Kernel 4.7 , this module is disabled by default because it could be a security risk.

So, we have two options to keep connection tracking working again.

Option 1 (not recommended) - Enable nf_conntrack_helper by default.

In my OS (Debian Stretch 9) to activate it we just need this:
Code: Select all
echo 'options nf_conntrack nf_conntrack_helper=1' > /etc/modprobe.d/nf_conntrack.conf
Reboot and problem solved.

Option 2 (recommended) - Enable via iptables only the required helper, in my case, ftp helper. So I've created /etc/csf/csfpost.sh file to load my two new rules.

For inbound connections to our ftp server:
Code: Select all
iptables -t raw -A PREROUTING -p tcp --dport 21 -j CT --helper ftp
If we are using IPv6:
Code: Select all
ip6tables -t raw -A PREROUTING -p tcp --dport 21 -j CT --helper ftp

For outbound connections to other ftp servers:
Code: Select all
iptables -t raw -A OUTPUT -p tcp --dport 21 -j CT --helper ftp
If we are using IPv6:
Code: Select all
ip6tables -t raw -A OUTPUT -p tcp --dport 21 -j CT --helper ftp
With these rules, conntrack for ftp works fine again.


I suppose CSF should deal with this issue on Kernels 4.7+ and should be able to load the required helper via iptables.

Appreciate your work.

Thank you very much.

Cheers,
sahsanu
ForumAdmin
Moderator
Posts: 1341
Joined: 01 Oct 2008, 09:24


Thank you for taking the time to post this along with the detailed information. We are aware of the need to move to start using the helpers, but were not aware that Debian had disabled the previous functionality by default.

Initially, we will implement the /proc/ workaround and look at implementing the recommended solution in the future.
sahsanu
Junior Member
Posts: 3
Joined: 28 Sep 2017, 22:48


ForumAdmin, I'm glad you are aware of this issue and to know you are already working on it.

Thank YOU
3 posts Page 1 of 1