nat helpers do not work (e.g. ftp), CT rules do not match connections in chain zone_wan_helper
Username: Artur
Origin: https://bugs.openwrt.org/index.php?do=details&task_id=2042
OpenWrt SNAPSHOT, r8978-eb1887be
Automatically generated rule like the below does not match any connections originating from
WAN
:
Chain zone_wan_helper (1 references)
pkts bytes target prot opt in out source destination
0 0 CT tcp – * * 0.0.0.0/0 192.168.1.250 tcp dpt:21 ctstate DNAT /* !fw3:
FTP
(CT helper) */ CT helper ftp
To have working passive
FTP
I need to add the following line to /etc/firewall.user (based on rules generated by shorewall):
iptables -t raw -A zone_wan_helper -p tcp –dport 21 -j CT –helper ftp –tcp-flags SYN,ACK,FIN,RST SYN
Either ctstate or destination ip does not match in the original rule.