内核升级后iptables无法转发被动模式FTP的解决方案

发布于 2018-11-14  926 次阅读


https://serverfault.com/questions/849159/ftp-nat-stopped-working-after-kernel-upgrade

echo 1 > /proc/sys/net/netfilter/nf_conntrack_helper

you have to add specific rules to the raw table to attach those helpers. So for your example I think you need to add something like this:

iptables -t raw -A PREROUTING -d $public_ip -p tcp --dport 21 -j CT --helper ftp

That should also take care of making sure the helper modules are loaded without the explicit modprobe commands.

原因:

Recent kernels no longer automatically attach connection tracking helpers based on compiled in port numbers.

特别是装了带bbr之类的4.x内核之后