Lately the Kernel has dropped help for automatic helper assignment, and you might have seen this error message in your kernel.log:

nf_conntrack: default automatic helper assignment has been turned off for security reasons and CT-based firewall rule not found. Use the iptables CT target to attach helpers instead.

A helper is a protocol analyzer that helps IPTables (and you) to handle protocols like SIP, FTP, IRC etc. For FTP it helps establish passive port connection between the client and server.

In my case it was the FTP Helper that I needed to create a Connection Tracking (CT) based rule for. Took me a while to figure out what was needed, and not atleast how it worked.

For my FTP server (Directly connected to the Internet), I first needed a PreRouting rule:

iptables -t raw -A PREROUTING -p tcp -m tcp --dport 21 -j CT --helper ftp

That ensures that any connection to port 21 (FTP) will be assigned the FTP Helper in the CT rule-list. The CT-Chain is in-kernel, so it's not one you need to create yourself.

Now that IPTables has been made aware that we are dealing with a FTP connection, we need to allow the passive port connection:

iptables -A INPUT -i $Wan_If -d $Wan_Ip -m conntrack --ctstate RELATED -m helper --helper ftp -j ACCEPT

Without the FTP Helper, the passive port connection would have been seen as a NEW connection - and we would have had to open up the entire passive port range to the internet. With the FTP Helper, the connection is treated as a RELATED connection, and we can allow the traffic without any permanent open port-range, by ensuring that the traffics is RELATED to a FTP Helper.

 

ToDo: Kernel Modules