Re: Stretch => Buster: iptables

To: debian-user@lists.debian.org
Subject: Re: Stretch => Buster: iptables
From: Jesper Dybdal <jd-debian-user@dybdal.dk>
Date: Fri, 6 Nov 2020 12:00:40 +0100
Message-id: <[🔎] a2fcd48d-4286-d14d-db0e-9fc56eede26a@dybdal.dk>
In-reply-to: <[🔎] 0gp5u7j1od1jv8@mids.svenhartge.de>
References: <2e60c9a3-6ce1-0b68-d65f-37362ade22e3@dybdal.dk> <[🔎] 0b0173cf-bb2d-032b-f317-8924217f5213@dybdal.dk> <[🔎] 0gp5u7j1od1jv8@mids.svenhartge.de>

On 2020-11-06 11:43, Sven Hartge wrote:

Jesper Dybdal <jd-debian-user@dybdal.dk> wrote:

* The CT target, to add the ftp helper.  I fixed that by adding a bit of 
native nft with the nft command after all the iptables(-nft) commands.

For the sake of the archive and people looking at this thread hoping for
some insight, please post your native nft rules you created.

Here they are (I'm afraid I can't remember which websites I got the inspiration from):

table ip myhelpers {
        ct helper ftp-standard {
                type "ftp" protocol tcp
        }
    chain input {
                type filter hook prerouting priority 0;
                tcp dport 21 ct helper set "ftp-standard" counter
        }
    chain output {
                type filter hook output priority 0;
                tcp dport 21 ct helper set "ftp-standard" counter
        }
}

I loaded them after all the iptables-nft rules with the commands:

# Delete any existing myhelpers tables, ignoring possible failure for an non-existent table:
nft delete table myhelpers >/dev/null 2>&1
# Load the myhelpers table shown above:
nft -f myhelpers.nft

This seems to work.

-- 
Jesper Dybdal
https://www.dybdal.dk

Reply to:

References:
- Re: Stretch => Buster: iptables
  - From: Jesper Dybdal <jd-debian-user@dybdal.dk>
- Re: Stretch => Buster: iptables
  - From: Sven Hartge <sven@svenhartge.de>

Prev by Date: Re: Stretch => Buster: iptables
Next by Date: nftable questions
Previous by thread: Re: Stretch => Buster: iptables
Next by thread: nftable questions
Index(es):
- Date
- Thread