Difference between revisions of "Conntrack helpers"

From nftables wiki
Jump to navigation Jump to search
(Clarify placement of 'ct helper set' chain in prerouting vs. input chain.)
Line 1: Line 1:
You can enable conntrack helpers explicitly through your ruleset. You have to attach your conntrack helper from the prerouting chain.  
You can enable conntrack helpers explicitly through your ruleset. Use a chain with ''prerouting'' hook to make the helpers available to forwarded as well as input traffic. (If you are not forwarding traffic you can use the ''input'' hook.)


<source lang="bash">
<source lang="bash">

Revision as of 18:35, 9 March 2021

You can enable conntrack helpers explicitly through your ruleset. Use a chain with prerouting hook to make the helpers available to forwarded as well as input traffic. (If you are not forwarding traffic you can use the input hook.)

table inet myhelpers {
      ct helper ftp-standard {
            type "ftp" protocol tcp
      }
      chain prerouting {
            type filter hook prerouting priority 0;
            tcp dport 21 ct helper set "ftp-standard"
      }
}

The example above shows how to enable the FTP conntrack helper for traffic going through port tcp/21 which is the standard FTP control port.

You can read more on how to enable conntrack helpers in a secure way here.

Supported conntrack helpers

Conntrack provides the following helpers:

  • FTP
  • TFTP
  • NetBIOS
  • IRC
  • SIP
  • H.323
  • SNMP
  • PPTP
  • SANE
  • Amanda

The conntrackd daemon also provides support for userspace helpers, such as:

  • DHCPv6
  • MDNS
  • SLP
  • SSDP
  • RPC
  • NFS version 3
  • Oracle TNS