From mboxrd@z Thu Jan  1 00:00:00 1970
From: =?ISO-8859-15?Q?Fr=E9d=E9ric_Massot?= <frederic@juliana-multimedia.com>
Date: Fri, 09 Mar 2007 15:21:02 +0000
Subject: [LARTC] Mark on FTP passive traffic
Message-Id: <esru10$6q9$1@sea.gmane.org>
List-Id: <lartc.vger.kernel.org>
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
To: lartc@vger.kernel.org

Hi,

I use for a customer a Linux router/firewall with 1 internal interface=20
connected to the LAN and 3 external interfaces connected to 3 different=20
ISP. I use a kernel 2.6.17 with a routes patch from Julian Anastasov.

I mark outgoing FTP traffic for the routing.

With the rules below I do not have a problem with the active/normal FTP=20
to connect on FTP server.

But the passive FTP does not pass because I do not know how to mark the=20
related packets whose ports are negotiated in FTP session.

I quote only the rules for the internal interface and one of the=20
external interfaces. The rules are the same ones for the three external=20
interfaces.

# global rule for all traffic
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

# FTP rule
iptables -A FORWARD -i $INTERNAL_INTERFACE -o $EXTERNAL_INTERFACE1 -p=20
tcp -s $INTERNAL_LAN --sport $UNPRIVPORTS --dport 21 -m state --state=20
NEW -j ACCEPT

iptables -A OUTPUT -o $EXTERNAL_INTERFACE1 -p tcp -s $EXTERNAL_IP1=20
--sport $UNPRIVPORTS --dport 21 -m state --state NEW -j ACCEPT


# FTP mark
iptables -t mangle -A FORWARD -o $EXTERNAL_INTERFACE1 -p tcp --dport 21=20
-j MARK --set-mark 0x21
iptables -t mangle -A OUTPUT -o $EXTERNAL_INTERFACE1 -p tcp --dport 21=20
-j MARK --set-mark 0x21
iptables -t mangle -A PREROUTING -i $INTERNAL_INTERFACE -p tcp --dport=20
21 -j MARK --set-mark 0x21

iptables -t mangle -A FORWARD -o $EXTERNAL_INTERFACE1 -p tcp --dport 20=20
-j MARK --set-mark 0x21
iptables -t mangle -A OUTPUT -o $EXTERNAL_INTERFACE1 -p tcp --dport 20=20
-j MARK --set-mark 0x21
iptables -t mangle -A PREROUTING -i $INTERNAL_INTERFACE -p tcp --dport=20
20 -j MARK --set-mark 0x21


Do you know how I can mark the related packets to the passive FTP?

Regards.
--=20
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
|              FR=C9D=C9RIC MASSOT               |
|     http://www.juliana-multimedia.com      |
|   mailto:frederic@juliana-multimedia.com   |
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=DEbian=3DGNU/Linux=3D
_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc