From: Bruno de Paula Larini <bruno.larini@riosoft.com.br>
To: Pascal Hambourg <pascal@plouf.fr.eu.org>
Cc: "netfilter@vger.kernel.org" <netfilter@vger.kernel.org>
Subject: Re: Losing connection between nat and filter tables
Date: Mon, 12 May 2014 10:20:37 -0300 [thread overview]
Message-ID: <5370CAA5.1010805@riosoft.com.br> (raw)
In-Reply-To: <536E602E.5070103@plouf.fr.eu.org>
Hi Pascal, thank you for clarifying the behavior of the rp_filter. And
yes, the two interfaces are in the same network, but it's a limitation
that our ISP imposes to us, as we have a limited range of public IPs in
only one /28 subnet. The objective this "messy" configuration is that
two different groups of users have access to different FTP sites without
having to set a non default port. My only choice was to do a DNAT based
on the destination IP (even though they are on the same network).
Would you do that in a different way? I really apreciate your help!
Em 10/5/2014 14:21, Pascal Hambourg escreveu:
> Hello,
>
> Bruno de Paula Larini a écrit :
>> Wow, thank you Mart! I didn't really think that the rp_filter would have
>> anything to do with it, but in fact it had!
> Of course it does, and it's all your fault.
> Either eth1 and eth2 are actually connected to the same network and
> connecting several interfaces to the same network is wrong and useless
> in most cases, or they are not and defining the same subnets on several
> interfaces which are connected to different networks is wrong. In either
> case, it's wrong. Why did you do so ?
>
>> Even though I had disabled
>> for "all" interfaces, it seems that the rp_filter files for each
>> interface overlaps "all".
> It doesn't overlap. Both values are combined using the MAX operator.
>
> rp_filter functional value for $iface = MAX (all, $iface)
>
> All this and much more is detailed in ip-sysctl.txt.
>
>> But unlike the eth1 interface, the RELATED state isn't allowing (or
>> recognizing) the data channel. After doing a DNAT from port 49152 to
>> 65535, the default data ports for MS FTP, I can now successfully connect
>> through the second interface.
> I'm afraid that's because you messed with the FTP control port. By
> default the FTP conntrack monitors only the port 21. You can either
> specify both 21 and 2121 in the port= option when you load the
> nf_conntrack_ftp module, or DNAT the second address to an IP alias
> address assigned to the same server, so that you don't need to change
> the port.
>
>
next prev parent reply other threads:[~2014-05-12 13:20 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-05-09 14:56 Losing connection between nat and filter tables Bruno de Paula Larini
2014-05-09 15:43 ` Anton Danilov
2014-05-09 16:12 ` Bruno de Paula Larini
2014-05-09 16:48 ` Anton Danilov
2014-05-09 20:45 ` Bruno de Paula Larini
2014-05-09 21:32 ` Mart Frauenlob
2014-05-10 0:31 ` Bruno de Paula Larini
2014-05-10 17:21 ` Pascal Hambourg
2014-05-12 13:20 ` Bruno de Paula Larini [this message]
2014-05-12 22:40 ` Pascal Hambourg
2014-05-11 10:02 ` Mart Frauenlob
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=5370CAA5.1010805@riosoft.com.br \
--to=bruno.larini@riosoft.com.br \
--cc=netfilter@vger.kernel.org \
--cc=pascal@plouf.fr.eu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.