nf_conntrack: automatic helper assignment is deprecated and it will be removed soon.
Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
See the link it mentions about using "-j CT" before doing "--helper ftp".
Many thanks for the reply, I appreciate it.
I'm sorry but where should I find the "--helper ftp" ???
I posted my iptables settings, I have no "--helper ftp" there...
thanks for the answer.
I have read it but it doesn't helped me.
How can I port my actual settings to the new way of use iptables?
As the guide says:
Since Linux 3.5, it is possible to desactivate the automatic conntrack helper assignment. This can be done when loading the nf_conntrack module
modprobe nf_conntrack nf_conntrack_helper=0
This can also be done after the module is loading by using a /proc entry
echo 0 > /proc/sys/net/netfilter/nf_conntrack_helper
I don't need
ftp
irc
sane
sip
tftp
ports, but I need the SNMP one, if I disable automatica conntrack, what will happen to my actual services like SNMP and the others?
ports so I should not have problems
0. Run 'echo "options nf_conntrack nf_conntrack_helper=0" > /etc/modprobe.d/nf_conntrack.conf;'
1. Run 'grep ^IPTABLES_MODULES= /etc/sysconfig/iptables-config' and remove any modules that are loaded by default that you don't need like for example nf_conntrack_ftp or nf_nat_ftp.
That should be about it. A generic CT rule looks like "-A PREROUTING -p tcp --dport 21 -j CT --helper ftp", or so the doucmentation says, but going over your rules again I don't see specific helper usage anyway so just discard the nf_conntrack message as being of the informational level.
0. Run 'echo "options nf_conntrack nf_conntrack_helper=0" > /etc/modprobe.d/nf_conntrack.conf;'
1. Run 'grep ^IPTABLES_MODULES= /etc/sysconfig/iptables-config' and remove any modules that are loaded by default that you don't need like for example nf_conntrack_ftp or nf_nat_ftp.
That should be about it. A generic CT rule looks like "-A PREROUTING -p tcp --dport 21 -j CT --helper ftp", or so the doucmentation says, but going over your rules again I don't see specific helper usage anyway so just discard the nf_conntrack message as being of the informational level.
this commands:
grep ^IPTABLES_MODULES= /etc/sysconfig/iptables-config
returns this:
IPTABLES_MODULES=""
I have runned the command:
echo "options nf_conntrack nf_conntrack_helper=0" > /etc/modprobe.d/nf_conntrack.conf;
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.