Tâche #25554
Mis à jour par Scrum Master il y a plus de 5 ans
http://debian-facile.org/doc:reseau:iptables-pare-feu-pour-un-client
Depuis debian Stretch, conntrack ne va plus étiqueter les paquets en RELATED, sauf pour le protocole icmp.
https://linuxfr.org/forums/linux-noyau/posts/acceder-a-un-serveur-ftp-depuis-une-passerelle
https://home.regit.org/netfilter-en/secure-use-of-helpers/
FWIW, it seems that there was a change in kernel 4.7, so that you either need to set net.netfilter.nf_conntrack_helper=1 via sysctl (e.g. put it in /etc/sysctl.d/conntrack.conf) or use
<pre>
iptables -A PREROUTING -t raw -p tcp --dport 21 -j CT --helper ftp
</pre>
<pre>
echo "1" > /proc/sys/net/netfilter/nf_conntrack_helper
</pre>
<pre>
root@zephir:~# cat /etc/eole/release
EOLE_MODULE=zephir
EOLE_VERSION=2.6
EOLE_RELEASE=2.6.2
root@zephir:~# uname -a
Linux zephir 4.4.0-138-generic
</pre>
<pre>
root@amon:~# cat /etc/eole/release
EOLE_MODULE=amon
EOLE_VERSION=2.7
EOLE_RELEASE=2.7.0
root@amon:~# uname -a
Linux amon 4.15.0-38-generic
</pre>
Depuis debian Stretch, conntrack ne va plus étiqueter les paquets en RELATED, sauf pour le protocole icmp.
https://linuxfr.org/forums/linux-noyau/posts/acceder-a-un-serveur-ftp-depuis-une-passerelle
https://home.regit.org/netfilter-en/secure-use-of-helpers/
FWIW, it seems that there was a change in kernel 4.7, so that you either need to set net.netfilter.nf_conntrack_helper=1 via sysctl (e.g. put it in /etc/sysctl.d/conntrack.conf) or use
<pre>
iptables -A PREROUTING -t raw -p tcp --dport 21 -j CT --helper ftp
</pre>
<pre>
echo "1" > /proc/sys/net/netfilter/nf_conntrack_helper
</pre>
<pre>
root@zephir:~# cat /etc/eole/release
EOLE_MODULE=zephir
EOLE_VERSION=2.6
EOLE_RELEASE=2.6.2
root@zephir:~# uname -a
Linux zephir 4.4.0-138-generic
</pre>
<pre>
root@amon:~# cat /etc/eole/release
EOLE_MODULE=amon
EOLE_VERSION=2.7
EOLE_RELEASE=2.7.0
root@amon:~# uname -a
Linux amon 4.15.0-38-generic
</pre>