Project

General

Profile

Feature #1540

Use the iptables CT target to attach connection tracking helpers

Added by Timo Teräs over 6 years ago. Updated about 2 years ago.

Status:
Closed
Priority:
Normal
Start date:
01/16/2013
Due date:
% Done:

100%

Estimated time:

Description

My system with linux-3.6.6 now contains the following in dmesg:
nf_conntrack: automatic helper assignment is deprecated and it will be removed soon. Use the iptables CT target to attach helpers instead.

This is also discussed in e.g. https://bbs.archlinux.org/viewtopic.php?id=148345

Basically, for each protocol for which we want to do content inspection/mangling, we need to add something like:

iptables -t raw -A OUTPUT -p tcp --dport 21 -j CT --helper ftp

To create explicit mapping with the port number and the protocol expected.

Associated revisions

Revision 2f489cc6 (diff)
Added by Kaarle Ritvanen about 6 years ago

secure use of connection tracking helpers
enable connection tracking helpers when required, fixes #1540
service-specific RELATED rules

History

#1 Updated by Kaarle Ritvanen over 6 years ago

We should also consider the suggestions in this document:
https://home.regit.org/netfilter-en/secure-use-of-helpers/

Blindly accepting all packets in RELATED state is considered a security risk.

#2 Updated by Kaarle Ritvanen about 6 years ago

  • Status changed from New to Resolved
  • % Done changed from 0 to 100

#3 Updated by Natanael Copa about 6 years ago

  • Status changed from Resolved to Closed

#4 Updated by Stuart Cardall about 2 years ago

the rule should be added to the prerouting table:

iptables -A PREROUTING -t raw -p tcp --dport 2121 \\
       -d 1.2.3.4 -j CT --helper ftp

see https://home.regit.org/netfilter-en/secure-use-of-helpers/

Also available in: Atom PDF