Page 1 of 1

Conntrack doesn't work by default on kernels 4.7+

Posted: 29 Sep 2017, 13:22
by sahsanu
Hello,

A few weeks ago I upgraded my system from Debian Jessie 8 to Debian Stretch 9 but till yesterday I didn't notice this issue. I tried to connect to an external ftp and I connect but it is not possible to list the directory contents, strange because before the upgrade with the same CSF conf I was able to connect to this ftp. I double check CSF conf and the port 21 is in TCP_OUT, SPI enabled, CONNTRACK used... all good (it was working before OS upgrade). If I stop CSF, the connection to this ftp is perfect so I performed several tests an my conclusion was that there was some issue with the conntrack configuration.

I spent a few hours till I checked whether nf_conntrack_helper was active, it was active by default in Debian Jessie 8 (kernel 3.16) but it isn't in Debian Stretch 9 (kernel 4.9).

Code: Select all

# sysctl -a 2>/dev/null | grep conntrack_helper
net.netfilter.nf_conntrack_helper = 0
Knowing that, I found that from Kernel 4.7 , this module is disabled by default because it could be a security risk.

So, we have two options to keep connection tracking working again.

Option 1 (not recommended) - Enable nf_conntrack_helper by default.

In my OS (Debian Stretch 9) to activate it we just need this:

Code: Select all

echo 'options nf_conntrack nf_conntrack_helper=1' > /etc/modprobe.d/nf_conntrack.conf
Reboot and problem solved.

Option 2 (recommended) - Enable via iptables only the required helper, in my case, ftp helper. So I've created /etc/csf/csfpost.sh file to load my two new rules.

For inbound connections to our ftp server:

Code: Select all

iptables -t raw -A PREROUTING -p tcp --dport 21 -j CT --helper ftp
If we are using IPv6:

Code: Select all

ip6tables -t raw -A PREROUTING -p tcp --dport 21 -j CT --helper ftp

For outbound connections to other ftp servers:

Code: Select all

iptables -t raw -A OUTPUT -p tcp --dport 21 -j CT --helper ftp
If we are using IPv6:

Code: Select all

ip6tables -t raw -A OUTPUT -p tcp --dport 21 -j CT --helper ftp
With these rules, conntrack for ftp works fine again.


I suppose CSF should deal with this issue on Kernels 4.7+ and should be able to load the required helper via iptables.

Appreciate your work.

Thank you very much.

Cheers,
sahsanu

Re: Conntrack doesn't work by default on kernels 4.7+

Posted: 29 Sep 2017, 15:58
by ForumAdmin
Thank you for taking the time to post this along with the detailed information. We are aware of the need to move to start using the helpers, but were not aware that Debian had disabled the previous functionality by default.

Initially, we will implement the /proc/ workaround and look at implementing the recommended solution in the future.

Re: Conntrack doesn't work by default on kernels 4.7+

Posted: 29 Sep 2017, 16:28
by sahsanu
ForumAdmin, I'm glad you are aware of this issue and to know you are already working on it.

Thank YOU

Re: Conntrack doesn't work by default on kernels 4.7+

Posted: 21 Dec 2017, 03:27
by terryr
Thanks for the post. A great explanation. You may also see in your logs this message:

Dec 14 03:40:15 mail kernel: nf_conntrack: default automatic helper assignment has been turned off for security reasons and CT-based firewall rule not found. Use the iptables CT target to attach helpers instead.

Also see this thread on kernel mailing list discussing the issue. http://lkml.iu.edu/hypermail/linux/kern ... 00470.html

Edited to add this post which is very helpful regard helpers. https://home.regit.org/netfilter-en/sec ... f-helpers/