Re: IPTables : How to force data coming from ethX being output by the same device

All of lore.kernel.org
 help / color / mirror / Atom feed

From: "Leonid Zeitlin" <lz@csltd.com.ua>
To: netfilter@vger.kernel.org
Subject: Re: IPTables : How to force data coming from ethX being output by the same device
Date: Wed, 23 Apr 2008 17:49:47 +0300	[thread overview]
Message-ID: <funiac$l5i$1@ger.gmane.org> (raw)
In-Reply-To: c4ecb9830804230703q3f3cc02doc03c34a293d6014c@mail.gmail.com

Hi Yves,
I'm not sure I understand your problem completely, but sounds like your 
situation is similar to the one described in Linux Advanced Routing and 
Traffic Control HOWTO section 4.2 here: 
http://lartc.org/howto/lartc.rpdb.multiple-links.html. Try to follow the 
instructions in section 4.2.1 "Split access", this might be what you need.

Thanks,
  Leonid


"Yves DUF" <yves.duf@gmail.com> ???????/???????? ? ???????? ?????????: 
news:c4ecb9830804230703q3f3cc02doc03c34a293d6014c@mail.gmail.com...
> Hello World.
>
> Not totally dumb with iptables (I know how to build a simple
> firewall), I'm far from being an expert. I got a quite simple need,
> but the more I try to build it, the less I understand how to do it :={
>
> ==============================
> Let me explain my configuration :
> ==============================
> I got a GNU/Linux server, with two Ethernet boards, for hosting on FTP 
> server.
> Here is a simplified diagram of my network :
>
>    FTP Server     <=>                Netasq FireWall Router
>    <=>       FTP client
>   _________                ________________________________
>  | eth0/ IP1a | _______ |  Dev 1
>       |                   _________
>  |                 |              |  + IP1b
>                 |                  |   Client    |
>  |                 |              |
>     Dev 3       |  ________  |  + IP3a    |
>  | eth1/ IP2a |________|  Dev 2                              + IP3b
>   |                  |_________|
>  | _________|              |  + IP2b
>          |
>                                  |________________________________|
>
> The 3 sub-networks IP1 IP2 and IP3 are different. All the routing are
> direct (no NAT/DNAT).
>
> Some others constraints:
> - I can not use two hosts for FTP server, neither another hardware
> - I can not use NAT/DNAT inside the Netasq Firewall.
>
> ==============================
> The issue :
> ==============================
> The FTP client from IP3a arrives to router IP3b. It redirect the
> packet to the good aimed wire (IP1a or IP1b). So the FTP server
> receive the connection from the good link.
> When the FTP server wants to answer, it aims IP3a. But it doesn't know
> which device to use (eth0 or eth1). So it use the default gateway (if
> that case let say eth0).
> The whole stuff works if I do ftp to IP1a. But when I do ftp IP2a, the
> answer comes back through IP1b. And the firewall blocks it because
> it's not an authorized transfer.
>
> ==============================
> The mighty solution :
> ==============================
> I think that iptables on the GNU/Linux FTP server would be a good
> solution, to do a sort of "ftp contracking". But I don't manage to
> write a simple rule as "All traffic that comes from ethX will output
> by ethX"
> Does somebody got ideas on this subject (iptables or whatever else)?
>
> Regards.
> Yves
> --
> To unsubscribe from this list: send the line "unsubscribe netfilter" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
>

next prev parent reply	other threads:[~2008-04-23 14:49 UTC|newest]

Thread overview: 14+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2008-04-23 14:03 IPTables : How to force data coming from ethX being output by the same device Yves DUF
2008-04-23 14:37 ` Leonardo Rodrigues Magalhães
2008-04-23 14:42   ` Jan Engelhardt
2008-04-23 14:51     ` Leonardo Rodrigues Magalhães
2008-04-23 15:17       ` Jan Engelhardt
2008-04-23 15:21         ` John covici
2008-04-23 16:12           ` Jan Engelhardt
2008-04-23 15:38         ` Leonardo Rodrigues Magalhães
2008-04-23 16:33           ` Alexei Ustyuzhaninov
2008-04-23 17:31             ` Leonardo Rodrigues Magalhães
2008-04-23 18:50               ` Jan Engelhardt
2008-04-24  4:38               ` Alexei Ustyuzhaninov
2008-04-23 14:49 ` Leonid Zeitlin [this message]
2008-04-23 19:06   ` Yves DUF

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to='funiac$l5i$1@ger.gmane.org' \
    --to=lz@csltd.com.ua \
    --cc=netfilter@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.