From: Michal Ludvig <michal@logix.cz>
To: netfilter@lists.netfilter.org
Subject: MARKing FTP traffic
Date: Fri, 28 Oct 2005 15:42:24 +1300 [thread overview]
Message-ID: <43619010.4000204@logix.cz> (raw)
Hi there,
I've got a problem with policy routing for FTP traffic. All I want is to
route all FTP traffic to a given server through link 'eth1' and all
other traffic including non-FTP to that server through 'eth0'.
I've got a default routing table:
# ip route list
192.168.157.21 via 192.168.0.254 dev eth0
192.168.0.0/24 dev eth0 proto kernel scope link src 192.168.0.137
default via 192.168.0.254 dev eth0
And "table 1" with the route via device eth1:
# ip route list table 1
192.168.157.21 via 192.168.0.254 dev eth1 src 192.168.0.160
Then there is a rule to lookup table 1 for packets marked with
fwmark 0x6:
# ip rule
0: from all lookup local
32765: from all fwmark 0x6 lookup 1
Finally two iptables rules to mark FTP packets with mark 6:
# iptables -t mangle -A OUTPUT -p tcp -d 192.168.157.21 --dport 21 \
-j MARK --set-mark 6
and to SNAT them to the IP of eth1:
# iptables -t nat -A POSTROUTING -o eth1 -j SNAT --to 192.168.0.160
So far so good, ftp control connection to 192.168.157.21 works just
fine, I can login, etc. However as soon as I try to download a file or
list a directory, i.e. open a data connection everything breaks:
1) In "active" mode the packet sent to the server contains "PORT
192.168.0.137,<port>" which isn't translated to 192.168.0.160 in the
SNAT rule and the server responds with "500 Illegal PORT command."
2) In "passive" mode both sides negotiate random ports but such a
connection isn't cought by the MARK rule and is sent over eth0 with src
address 192.168.0.137. Obviously the ftp server responds with "425
Security: Bad IP connecting."
I have finally found a hlaf-working dirty solution:
# iptables -t mangle -A OUTPUT -p tcp -d 192.168.157.21 \
-m state --state RELATED -j MARK --set-mark 6
However this would affect all RELATED connections, not only FTP ones
(well, that's likely not a huge problem but still :-) and it works with
active ftp only which could be a serious problem.
Is there a proper way to track these ftp-data connections and mark them
appropriately in both active and passive mode?
I'm running 2.6.11 and iptables 1.3.3 but a solution that would work on
2.4.22 with iptables 1.2.8 would be much more appreciated ;-)
Thanks!
Michal Ludvig
--
* Personal homepage: http://www.logix.cz/michal
next reply other threads:[~2005-10-28 2:42 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2005-10-28 2:42 Michal Ludvig [this message]
2005-10-29 21:50 ` MARKing FTP traffic Henrik Nordstrom
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=43619010.4000204@logix.cz \
--to=michal@logix.cz \
--cc=netfilter@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.