iptables nf_conntrack_ftp not working?

iptables ftp passive

I think at some point the nf_conntrack_* modules were changed so that you'll now have to explicitly specify the port numbers of the special protocols.

For FTP, I have this module option line in my /etc/modprobe.d/iptables.conf file:

options nf_conntrack_ftp ports=21

It tells the nf_conntrack_ftp module to expect FTP control traffic specifically in port 21. It used to be the default, but I think the defaults were removed in favor of explicit configuration, back in year 2012 or so.

In kernel version 3.5, it became possible to disable automatic conntrack helper assignment, and it looks like the current practice is to have it disabled by default.

Please see: https://home.regit.org/netfilter-en/secure-use-of-helpers/

According to this, it might even be necessary (or at least preferable) to explicitly invoke the appropriate conntrack helper in the iptables FORWARD rules. That way, you can specify the exact cases when the helper is supposed to be used, and so minimize the risk of spoofing.

Related

How to optimize Time To First Byte (TTFB)?
Compress traffic between uwsgi-nginx and nginx load balancer
How to set up a "public" DNS server on linux server?
Intermittent connection to Windows 7 shared folder from Windows XP workstations
How to learn/master (tutorials) for managing a VPS? - newbie VPS user [closed]
What is your end user machine lifetime? [closed]
How do I mount an rbd device from fstab
Peering with an internet exchange
How to run OS X (Leopard or Tiger) in Windows?
mod_security: How to log POST requests for specific URI?
iptables REDIRECT works only for first packet
Apache 2 Symbolic link not allowed or link target not accessible