From: Michal Ludvig <michal@logix.cz>
To: netfilter@lists.netfilter.org
Subject: MARKing FTP traffic
Date: Fri, 28 Oct 2005 15:42:24 +1300 [thread overview]
Message-ID: <43619010.4000204@logix.cz> (raw)
Hi there,
I've got a problem with policy routing for FTP traffic. All I want is to
route all FTP traffic to a given server through link 'eth1' and all
other traffic including non-FTP to that server through 'eth0'.
I've got a default routing table:
# ip route list
192.168.157.21 via 192.168.0.254 dev eth0
192.168.0.0/24 dev eth0 proto kernel scope link src 192.168.0.137
default via 192.168.0.254 dev eth0
And "table 1" with the route via device eth1:
# ip route list table 1
192.168.157.21 via 192.168.0.254 dev eth1 src 192.168.0.160
Then there is a rule to lookup table 1 for packets marked with
fwmark 0x6:
# ip rule
0: from all lookup local
32765: from all fwmark 0x6 lookup 1
Finally two iptables rules to mark FTP packets with mark 6:
# iptables -t mangle -A OUTPUT -p tcp -d 192.168.157.21 --dport 21 \
-j MARK --set-mark 6
and to SNAT them to the IP of eth1:
# iptables -t nat -A POSTROUTING -o eth1 -j SNAT --to 192.168.0.160
So far so good, ftp control connection to 192.168.157.21 works just
fine, I can login, etc. However as soon as I try to download a file or
list a directory, i.e. open a data connection everything breaks:
1) In "active" mode the packet sent to the server contains "PORT
192.168.0.137,<port>" which isn't translated to 192.168.0.160 in the
SNAT rule and the server responds with "500 Illegal PORT command."
2) In "passive" mode both sides negotiate random ports but such a
connection isn't cought by the MARK rule and is sent over eth0 with src
address 192.168.0.137. Obviously the ftp server responds with "425
Security: Bad IP connecting."
I have finally found a hlaf-working dirty solution:
# iptables -t mangle -A OUTPUT -p tcp -d 192.168.157.21 \
-m state --state RELATED -j MARK --set-mark 6
However this would affect all RELATED connections, not only FTP ones
(well, that's likely not a huge problem but still :-) and it works with
active ftp only which could be a serious problem.
Is there a proper way to track these ftp-data connections and mark them
appropriately in both active and passive mode?
I'm running 2.6.11 and iptables 1.3.3 but a solution that would work on
2.4.22 with iptables 1.2.8 would be much more appreciated ;-)
Thanks!
Michal Ludvig
--
* Personal homepage: http://www.logix.cz/michal
next reply other threads:[~2005-10-28 2:42 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2005-10-28 2:42 Michal Ludvig [this message]
2005-10-29 21:50 ` MARKing FTP traffic Henrik Nordstrom
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=43619010.4000204@logix.cz \
--to=michal@logix.cz \
--cc=netfilter@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox