May 11, 2017

The iptables service starts before any DNS-related services when a Linux system is booted. This means that firewall rules can only reference numeric IP addresses (for example, 192.168.0.1). Domain names (for example, host.example.com) in such rules produce errors. neutron ALL = (root) NOPASSWD: /usr/bin/privsep-helper neutron ALL = (root) NOPASSWD: /usr/sbin/iptables-save Is there a better sollution? Thank you for helping solving this. But a new problem I will post with new keyword iptables -t raw -A OUTPUT -p tcp --dport 21 -j CT --helper ftp The rule I already had in place to accept related connections picked up the related connection from the ftp helper and things work, I could probably be locked down a bit more but for now I'm happy with this setup. A generic CT rule looks like "-A PREROUTING -p tcp --dport 21 -j CT --helper ftp", or so the doucmentation says, but going over your rules again I don't see specific helper usage anyway so just discard the nf_conntrack message as being of the informational level. SIP is a complex (multi ports) protocol and requires a protocol helper (aka ALG). netfilter/conntrack provides a (n in-kernel ALG) SIP helper that you must use. More informations there: Secure use of iptables and connection tracking helpers. Also, port 5061 is usually TLS so can't be snooped by the helper so traffic there still won't work. iptables -A PREROUTING -t raw -p udp --dport 69 -s 192.168.11.0/24 -d 172.16.0.0/16 -j CT --helper tftp This rule alone should now have the helper be activated when adequate, thus triggering the mangling of TFTP data and ports, since TFTP is a complex protocol where server replies can come back from unrelated source ports to the dynamic/ephemeral client source port, as seen in this Wikipedia entry for TFTP .

helper will create an expectation whose IP parameters are the two peers. The IRC helper creates expectations whose destination address is the client address and source address is any address. This is due to the protocol: we do not know the IP address of the person who is the target of the DCC.

Netfilter is a framework provided by the Linux kernel that allows various networking-related operations to be implemented in the form of customized handlers.Netfilter offers various functions and operations for packet filtering, network address translation, and port translation, which provide the functionality required for directing packets through a network and prohibiting packets from

iptables -t raw -A OUTPUT -p tcp --dport 21 -j CT --helper ftp The rule I already had in place to accept related connections picked up the related connection from the ftp helper and things work, I could probably be locked down a bit more but for now I'm happy with this setup.

netfilter/iptables project homepage - Documentation about