# =============
# -  Load Kernel Modules
# =============

ip_tables
iptable_nat

# - Note:! 
# -    Since Kernel 4.7 the automatic conntrack helper assignment
# -    is disabled by default (net.netfilter.nf_conntrack_helper = 0).
# -    Enable it by setting this variable in file /etc/sysctl.conf:
# -
# -       net.netfilter.nf_conntrack_helper = 1
# -
# -    Reboot or type "sysctl -p"
# -
# - !! But this is NOT the recommend method !!


# ---
# - Load module for FTP Connection tracking and NAT
# ---

# - Once a helper is loaded, it will treat packets for a given port and all IP addresses. 
# - As explained before, this is not optimal and is even a security risk. A better 
# - solution is to load the module helper and deactivate their parsing by default. Each 
# - helper we need to use is then set by using a call to the CT target.
# -
# - Desactivate the automatic conntrack helper assignment:
# - 
# -    method 1: modprobe nf_conntrack nf_conntrack_helper=0
# -    method 2: echo 0 > /proc/sys/net/netfilter/nf_conntrack_helper
# -
# - Note:
# - =====
# -    Each helper we need to use is then set by using a call to the CT target.
# -    Example for ftp helper on standardport:
# -
# -      ipt -A OUTPUT -t raw -p tcp --dport 21 -j CT --helper ftp 
# -    
nf_conntrack nf_conntrack_helper=0

nf_conntrack_ftp
nf_nat
nf_nat_ftp

## - Load modules for SIP VOIP
## -
#nf_conntrack_sip
#nf_nat_sip


# - Load kernel nf_log modules for IPv4 netfilter userspace logging
# -
# - Note: 
# -    netfilter userspace logging daemon (ulogd/ulogd2) is required
# -
nf_log
nf_log_ipv4