https://serverfault.com/questions/849159/ftp-nat-stopped-working-after-kernel-upgrade
echo 1 > /proc/sys/net/netfilter/nf_conntrack_helper
或
you have to add specific rules to the raw table to attach those helpers. So for your example I think you need to add something like this:
iptables -t raw -A PREROUTING -d $public_ip -p tcp --dport 21 -j CT --helper ftp
That should also take care of making sure the helper modules are loaded without the explicit modprobe commands.
原因:
Recent kernels no longer automatically attach connection tracking helpers based on compiled in port numbers.
特别是装了带bbr之类的4.x内核之后
标签:none