* [LARTC] Mark on FTP passive traffic
@ 2007-03-09 15:21 Frédéric Massot
2007-03-10 5:00 ` Rodolfo Brasnarof
0 siblings, 1 reply; 2+ messages in thread
From: Frédéric Massot @ 2007-03-09 15:21 UTC (permalink / raw)
To: lartc
Hi,
I use for a customer a Linux router/firewall with 1 internal interface
connected to the LAN and 3 external interfaces connected to 3 different
ISP. I use a kernel 2.6.17 with a routes patch from Julian Anastasov.
I mark outgoing FTP traffic for the routing.
With the rules below I do not have a problem with the active/normal FTP
to connect on FTP server.
But the passive FTP does not pass because I do not know how to mark the
related packets whose ports are negotiated in FTP session.
I quote only the rules for the internal interface and one of the
external interfaces. The rules are the same ones for the three external
interfaces.
# global rule for all traffic
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
# FTP rule
iptables -A FORWARD -i $INTERNAL_INTERFACE -o $EXTERNAL_INTERFACE1 -p
tcp -s $INTERNAL_LAN --sport $UNPRIVPORTS --dport 21 -m state --state
NEW -j ACCEPT
iptables -A OUTPUT -o $EXTERNAL_INTERFACE1 -p tcp -s $EXTERNAL_IP1
--sport $UNPRIVPORTS --dport 21 -m state --state NEW -j ACCEPT
# FTP mark
iptables -t mangle -A FORWARD -o $EXTERNAL_INTERFACE1 -p tcp --dport 21
-j MARK --set-mark 0x21
iptables -t mangle -A OUTPUT -o $EXTERNAL_INTERFACE1 -p tcp --dport 21
-j MARK --set-mark 0x21
iptables -t mangle -A PREROUTING -i $INTERNAL_INTERFACE -p tcp --dport
21 -j MARK --set-mark 0x21
iptables -t mangle -A FORWARD -o $EXTERNAL_INTERFACE1 -p tcp --dport 20
-j MARK --set-mark 0x21
iptables -t mangle -A OUTPUT -o $EXTERNAL_INTERFACE1 -p tcp --dport 20
-j MARK --set-mark 0x21
iptables -t mangle -A PREROUTING -i $INTERNAL_INTERFACE -p tcp --dport
20 -j MARK --set-mark 0x21
Do you know how I can mark the related packets to the passive FTP?
Regards.
--
=======================
| FRÉDÉRIC MASSOT |
| http://www.juliana-multimedia.com |
| mailto:frederic@juliana-multimedia.com |
=============Þbian=GNU/Linux=
_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: [LARTC] Mark on FTP passive traffic
2007-03-09 15:21 [LARTC] Mark on FTP passive traffic Frédéric Massot
@ 2007-03-10 5:00 ` Rodolfo Brasnarof
0 siblings, 0 replies; 2+ messages in thread
From: Rodolfo Brasnarof @ 2007-03-10 5:00 UTC (permalink / raw)
To: lartc
On Fri, 09 Mar 2007 16:21:02 +0100
Frédéric Massot <frederic@juliana-multimedia.com> wrote:
> Hi,
>
> I use for a customer a Linux router/firewall with 1 internal
> interface connected to the LAN and 3 external interfaces connected to
> 3 different ISP. I use a kernel 2.6.17 with a routes patch from
> Julian Anastasov.
>
> I mark outgoing FTP traffic for the routing.
>
> With the rules below I do not have a problem with the active/normal
> FTP to connect on FTP server.
>
> But the passive FTP does not pass because I do not know how to mark
> the related packets whose ports are negotiated in FTP session.
>
> I quote only the rules for the internal interface and one of the
> external interfaces. The rules are the same ones for the three
> external interfaces.
>
> # global rule for all traffic
> iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
>
> # FTP rule
> iptables -A FORWARD -i $INTERNAL_INTERFACE -o $EXTERNAL_INTERFACE1 -p
> tcp -s $INTERNAL_LAN --sport $UNPRIVPORTS --dport 21 -m state --state
> NEW -j ACCEPT
>
> iptables -A OUTPUT -o $EXTERNAL_INTERFACE1 -p tcp -s $EXTERNAL_IP1
> --sport $UNPRIVPORTS --dport 21 -m state --state NEW -j ACCEPT
>
>
> # FTP mark
> iptables -t mangle -A FORWARD -o $EXTERNAL_INTERFACE1 -p tcp --dport
> 21 -j MARK --set-mark 0x21
> iptables -t mangle -A OUTPUT -o $EXTERNAL_INTERFACE1 -p tcp --dport
> 21 -j MARK --set-mark 0x21
> iptables -t mangle -A PREROUTING -i $INTERNAL_INTERFACE -p tcp
> --dport 21 -j MARK --set-mark 0x21
>
> iptables -t mangle -A FORWARD -o $EXTERNAL_INTERFACE1 -p tcp --dport
> 20 -j MARK --set-mark 0x21
> iptables -t mangle -A OUTPUT -o $EXTERNAL_INTERFACE1 -p tcp --dport
> 20 -j MARK --set-mark 0x21
> iptables -t mangle -A PREROUTING -i $INTERNAL_INTERFACE -p tcp
> --dport 20 -j MARK --set-mark 0x21
>
>
> Do you know how I can mark the related packets to the passive FTP?
>
> Regards.
Here's what I'm using to mark ftp traffic for routing purposes, then
I use the prerouting chain:
# ftp
iptables -t mangle -A PREROUTING -i eth0 -p tcp --sport 20 -j MARK --set-mark 1000
iptables -t mangle -A PREROUTING -i eth0 -p tcp --dport 20 -j MARK --set-mark 1000
iptables -t mangle -A PREROUTING -i eth0 -p tcp --sport 21 -j MARK --set-mark 1000
iptables -t mangle -A PREROUTING -i eth0 -p tcp --dport 21 -j MARK --set-mark 1000
iptables -t mangle -A PREROUTING -m helper --helper ftp -j MARK --set-mark 1000
With the use of the ftp_conntrack helper you can match all you ftp
traffic, even passive ftp.
I hope this can help you.
_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2007-03-10 5:00 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2007-03-09 15:21 [LARTC] Mark on FTP passive traffic Frédéric Massot
2007-03-10 5:00 ` Rodolfo Brasnarof
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.