Conntrack doesn't work by default on kernels 4.7+

Post Reply
sahsanu
Junior Member
Posts: 3
Joined: 28 Sep 2017, 22:48

Conntrack doesn't work by default on kernels 4.7+

Post by sahsanu »

Hello,

A few weeks ago I upgraded my system from Debian Jessie 8 to Debian Stretch 9 but till yesterday I didn't notice this issue. I tried to connect to an external ftp and I connect but it is not possible to list the directory contents, strange because before the upgrade with the same CSF conf I was able to connect to this ftp. I double check CSF conf and the port 21 is in TCP_OUT, SPI enabled, CONNTRACK used... all good (it was working before OS upgrade). If I stop CSF, the connection to this ftp is perfect so I performed several tests an my conclusion was that there was some issue with the conntrack configuration.

I spent a few hours till I checked whether nf_conntrack_helper was active, it was active by default in Debian Jessie 8 (kernel 3.16) but it isn't in Debian Stretch 9 (kernel 4.9).

Code: Select all

# sysctl -a 2>/dev/null | grep conntrack_helper
net.netfilter.nf_conntrack_helper = 0
Knowing that, I found that from Kernel 4.7 , this module is disabled by default because it could be a security risk.

So, we have two options to keep connection tracking working again.

Option 1 (not recommended) - Enable nf_conntrack_helper by default.

In my OS (Debian Stretch 9) to activate it we just need this:

Code: Select all

echo 'options nf_conntrack nf_conntrack_helper=1' > /etc/modprobe.d/nf_conntrack.conf
Reboot and problem solved.

Option 2 (recommended) - Enable via iptables only the required helper, in my case, ftp helper. So I've created /etc/csf/csfpost.sh file to load my two new rules.

For inbound connections to our ftp server:

Code: Select all

iptables -t raw -A PREROUTING -p tcp --dport 21 -j CT --helper ftp
If we are using IPv6:

Code: Select all

ip6tables -t raw -A PREROUTING -p tcp --dport 21 -j CT --helper ftp

For outbound connections to other ftp servers:

Code: Select all

iptables -t raw -A OUTPUT -p tcp --dport 21 -j CT --helper ftp
If we are using IPv6:

Code: Select all

ip6tables -t raw -A OUTPUT -p tcp --dport 21 -j CT --helper ftp
With these rules, conntrack for ftp works fine again.


I suppose CSF should deal with this issue on Kernels 4.7+ and should be able to load the required helper via iptables.

Appreciate your work.

Thank you very much.

Cheers,
sahsanu
ForumAdmin
Moderator
Posts: 1523
Joined: 01 Oct 2008, 09:24

Re: Conntrack doesn't work by default on kernels 4.7+

Post by ForumAdmin »

Thank you for taking the time to post this along with the detailed information. We are aware of the need to move to start using the helpers, but were not aware that Debian had disabled the previous functionality by default.

Initially, we will implement the /proc/ workaround and look at implementing the recommended solution in the future.
sahsanu
Junior Member
Posts: 3
Joined: 28 Sep 2017, 22:48

Re: Conntrack doesn't work by default on kernels 4.7+

Post by sahsanu »

ForumAdmin, I'm glad you are aware of this issue and to know you are already working on it.

Thank YOU
terryr
Junior Member
Posts: 17
Joined: 19 Apr 2011, 14:37

Re: Conntrack doesn't work by default on kernels 4.7+

Post by terryr »

Thanks for the post. A great explanation. You may also see in your logs this message:

Dec 14 03:40:15 mail kernel: nf_conntrack: default automatic helper assignment has been turned off for security reasons and CT-based firewall rule not found. Use the iptables CT target to attach helpers instead.

Also see this thread on kernel mailing list discussing the issue. http://lkml.iu.edu/hypermail/linux/kern ... 00470.html

Edited to add this post which is very helpful regard helpers. https://home.regit.org/netfilter-en/sec ... f-helpers/
Post Reply