IPTables : How to force data coming from ethX being output by the same device

IPTables : How to force data coming from ethX being output by the same device

[Yves DUF]

Hello World.

Not totally dumb with iptables (I know how to build a simple
firewall), I'm far from being an expert. I got a quite simple need,
but the more I try to build it, the less I understand how to do it :={

==============================
Let me explain my configuration :
==============================
I got a GNU/Linux server, with two Ethernet boards, for hosting on FTP server.
Here is a simplified diagram of my network :

    FTP Server     <=>                Netasq FireWall Router
    <=>       FTP client
   _________                ________________________________
  | eth0/ IP1a | _______ |  Dev 1
       |                   _________
  |                 |              |  + IP1b
                 |                  |   Client    |
  |                 |              |
     Dev 3       |  ________  |  + IP3a    |
  | eth1/ IP2a |________|  Dev 2                              + IP3b
   |                  |_________|
  | _________|              |  + IP2b
          |
                                  |________________________________|

The 3 sub-networks IP1 IP2 and IP3 are different. All the routing are
direct (no NAT/DNAT).

Some others constraints:
- I can not use two hosts for FTP server, neither another hardware
- I can not use NAT/DNAT inside the Netasq Firewall.

==============================
The issue :
==============================
The FTP client from IP3a arrives to router IP3b. It redirect the
packet to the good aimed wire (IP1a or IP1b). So the FTP server
receive the connection from the good link.
When the FTP server wants to answer, it aims IP3a. But it doesn't know
which device to use (eth0 or eth1). So it use the default gateway (if
that case let say eth0).
The whole stuff works if I do ftp to IP1a. But when I do ftp IP2a, the
answer comes back through IP1b. And the firewall blocks it because
it's not an authorized transfer.

==============================
The mighty solution :
==============================
I think that iptables on the GNU/Linux FTP server would be a good
solution, to do a sort of "ftp contracking". But I don't manage to
write a simple rule as "All traffic that comes from ethX will output
by ethX"
Does somebody got ideas on this subject (iptables or whatever else)?

Regards.
Yves

Re: IPTables : How to force data coming from ethX being output by the same device

[Leonardo Rodrigues Magalhães]

Yves DUF escreveu:
> I think that iptables on the GNU/Linux FTP server would be a good
> solution, to do a sort of "ftp contracking". But I don't manage to
> write a simple rule as "All traffic that comes from ethX will output
> by ethX"
> Does somebody got ideas on this subject (iptables or whatever else)?
>
>   
    This is not iptables related, this is ROUTING related.

    iptables does not route packages. If packets are arriving in one 
interface and going on another, that's because your ROUTING table says that.

    On more-than-1-public interface situations, you may need some 
advanced routing rules, ie source routing, to get things working properly.

    iptables has the ftp conntracking module, but again, it has nothing 
to do with routing, it wont help your needs.

-- 


	Atenciosamente / Sincerily,
	Leonardo Rodrigues
	Solutti Tecnologia
	http://www.solutti.com.br

	Minha armadilha de SPAM, NÃO mandem email
	gertrudes@solutti.com.br
	My SPAMTRAP, do not email it

Re: IPTables : How to force data coming from ethX being output by the same device

[Jan Engelhardt]

On Wednesday 2008-04-23 16:37, Leonardo Rodrigues Magalhães wrote:
> Yves DUF escreveu:
>> I think that iptables on the GNU/Linux FTP server would be a good
>> solution, to do a sort of "ftp contracking". But I don't manage to
>> write a simple rule as "All traffic that comes from ethX will output
>> by ethX"
>> Does somebody got ideas on this subject (iptables or whatever else)?
>>
>>   
>   This is not iptables related, this is ROUTING related.
>
>   iptables does not route packages.

apt/smart routes packages :p

Re: IPTables : How to force data coming from ethX being output by the same device

[Leonid Zeitlin]

Hi Yves,
I'm not sure I understand your problem completely, but sounds like your 
situation is similar to the one described in Linux Advanced Routing and 
Traffic Control HOWTO section 4.2 here: 
http://lartc.org/howto/lartc.rpdb.multiple-links.html. Try to follow the 
instructions in section 4.2.1 "Split access", this might be what you need.

Thanks,
  Leonid


"Yves DUF" <yves.duf@gmail.com> ???????/???????? ? ???????? ?????????: 
news:c4ecb9830804230703q3f3cc02doc03c34a293d6014c@mail.gmail.com...
> Hello World.
>
> Not totally dumb with iptables (I know how to build a simple
> firewall), I'm far from being an expert. I got a quite simple need,
> but the more I try to build it, the less I understand how to do it :={
>
> ==============================
> Let me explain my configuration :
> ==============================
> I got a GNU/Linux server, with two Ethernet boards, for hosting on FTP 
> server.
> Here is a simplified diagram of my network :
>
>    FTP Server     <=>                Netasq FireWall Router
>    <=>       FTP client
>   _________                ________________________________
>  | eth0/ IP1a | _______ |  Dev 1
>       |                   _________
>  |                 |              |  + IP1b
>                 |                  |   Client    |
>  |                 |              |
>     Dev 3       |  ________  |  + IP3a    |
>  | eth1/ IP2a |________|  Dev 2                              + IP3b
>   |                  |_________|
>  | _________|              |  + IP2b
>          |
>                                  |________________________________|
>
> The 3 sub-networks IP1 IP2 and IP3 are different. All the routing are
> direct (no NAT/DNAT).
>
> Some others constraints:
> - I can not use two hosts for FTP server, neither another hardware
> - I can not use NAT/DNAT inside the Netasq Firewall.
>
> ==============================
> The issue :
> ==============================
> The FTP client from IP3a arrives to router IP3b. It redirect the
> packet to the good aimed wire (IP1a or IP1b). So the FTP server
> receive the connection from the good link.
> When the FTP server wants to answer, it aims IP3a. But it doesn't know
> which device to use (eth0 or eth1). So it use the default gateway (if
> that case let say eth0).
> The whole stuff works if I do ftp to IP1a. But when I do ftp IP2a, the
> answer comes back through IP1b. And the firewall blocks it because
> it's not an authorized transfer.
>
> ==============================
> The mighty solution :
> ==============================
> I think that iptables on the GNU/Linux FTP server would be a good
> solution, to do a sort of "ftp contracking". But I don't manage to
> write a simple rule as "All traffic that comes from ethX will output
> by ethX"
> Does somebody got ideas on this subject (iptables or whatever else)?
>
> Regards.
> Yves
> --
> To unsubscribe from this list: send the line "unsubscribe netfilter" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
> 

Re: IPTables : How to force data coming from ethX being output by the same device

[Leonardo Rodrigues Magalhães]

Jan Engelhardt escreveu:
> On Wednesday 2008-04-23 16:37, Leonardo Rodrigues Magalhães wrote:  
>   
>>   This is not iptables related, this is ROUTING related.
>>
>>   iptables does not route packages.
>>     
>
> apt/smart routes packages :p

    hmmmm i use Fedora, so i'll stick with yum :)

    sorry for that, i mean 'packets' and not 'packages'.

    iptables does not route network packets, that's done by kernel based 
on the routing table entries. it's completly NOT iptables related.

-- 


	Atenciosamente / Sincerily,
	Leonardo Rodrigues
	Solutti Tecnologia
	http://www.solutti.com.br

	Minha armadilha de SPAM, NÃO mandem email
	gertrudes@solutti.com.br
	My SPAMTRAP, do not email it

Re: IPTables : How to force data coming from ethX being output by the same device

[Jan Engelhardt]

On Wednesday 2008-04-23 16:51, Leonardo Rodrigues Magalhães wrote:
> Jan Engelhardt escreveu:
>> On Wednesday 2008-04-23 16:37, Leonardo Rodrigues Magalhães wrote:  
>>   
>> >   This is not iptables related, this is ROUTING related.
>> >
>> >   iptables does not route packages.
>> >     
>>
>> apt/smart routes packages :p
>
>   hmmmm i use Fedora, so i'll stick with yum :)
>
>   sorry for that, i mean 'packets' and not 'packages'.
>
>   iptables does not route network packets, that's done by kernel based on the
> routing table entries. it's completly NOT iptables related.

It is not completely not related. By changing things such as
nfmark, TOS field, source or destination address, routing can
be influenced, so I would not say it's totally unrelated :)

Re: IPTables : How to force data coming from ethX being output by the same device

[John covici]

The normal mailing list for routing related stuff seems to be broke or
moved, anyone know what is going on with that?

on Wednesday 04/23/2008 Jan Engelhardt(jengelh@computergmbh.de) wrote
 > 
 > On Wednesday 2008-04-23 16:51, Leonardo Rodrigues Magalhães wrote:
 > > Jan Engelhardt escreveu:
 > >> On Wednesday 2008-04-23 16:37, Leonardo Rodrigues Magalhães wrote:  
 > >>   
 > >> >   This is not iptables related, this is ROUTING related.
 > >> >
 > >> >   iptables does not route packages.
 > >> >     
 > >>
 > >> apt/smart routes packages :p
 > >
 > >   hmmmm i use Fedora, so i'll stick with yum :)
 > >
 > >   sorry for that, i mean 'packets' and not 'packages'.
 > >
 > >   iptables does not route network packets, that's done by kernel based on the
 > > routing table entries. it's completly NOT iptables related.
 > 
 > It is not completely not related. By changing things such as
 > nfmark, TOS field, source or destination address, routing can
 > be influenced, so I would not say it's totally unrelated :)
 > --
 > To unsubscribe from this list: send the line "unsubscribe netfilter" in
 > the body of a message to majordomo@vger.kernel.org
 > More majordomo info at  http://vger.kernel.org/majordomo-info.html

-- 
Your life is like a penny.  You're going to lose it.  The question is:
How do
you spend it?

         John Covici
         covici@ccs.covici.com

Re: IPTables : How to force data coming from ethX being output by the same device

[Leonardo Rodrigues Magalhães]

Jan Engelhardt escreveu:
>
> It is not completely not related. By changing things such as
> nfmark, TOS field, source or destination address, routing can
> be influenced, so I would not say it's totally unrelated :)
>   

    Changing all these parameters will do nothing if you dont have 
appropriate routing rules that uses them as routing criteria parameters.

    Well .... yes, it's not completly unrelated, iptables really can 
'help' routing decisions with those things.

    iptables can be used to help routing decisions, but this is not the 
only way of doing it. You can have your source routing rules and get 
advanced routing without iptables rules, it's not required, but yes can 
be used sometimes. On pretty advanced routing situations, maybe iptables 
'helping' rules would be necessary, but advanced routing can be done 
without iptables.


-- 


	Atenciosamente / Sincerily,
	Leonardo Rodrigues
	Solutti Tecnologia
	http://www.solutti.com.br

	Minha armadilha de SPAM, NÃO mandem email
	gertrudes@solutti.com.br
	My SPAMTRAP, do not email it

Re: IPTables : How to force data coming from ethX being output by the same device

[Jan Engelhardt]

On Wednesday 2008-04-23 17:21, John covici wrote:
>The normal mailing list for routing related stuff seems to be broke or
>moved, anyone know what is going on with that?

you mean lartc? It exists, but there is so few traffic that a float
could not represent it unambiguously anymore.

Re: IPTables : How to force data coming from ethX being output by the same device

[Alexei Ustyuzhaninov]

Leonardo Rodrigues Magalhães wrote:
> 
> 
> Jan Engelhardt escreveu:
>>
>> It is not completely not related. By changing things such as
>> nfmark, TOS field, source or destination address, routing can
>> be influenced, so I would not say it's totally unrelated :)
>>   
> 
>    Changing all these parameters will do nothing if you dont have 
> appropriate routing rules that uses them as routing criteria parameters.
> 
>    Well .... yes, it's not completly unrelated, iptables really can 
> 'help' routing decisions with those things.
> 
>    iptables can be used to help routing decisions, but this is not the 
> only way of doing it. You can have your source routing rules and get 
> advanced routing without iptables rules, it's not required, but yes can 
> be used sometimes. On pretty advanced routing situations, maybe iptables 
> 'helping' rules would be necessary, but advanced routing can be done 
> without iptables.

I don't think any routing may be done without iptables. A simple 
example: you have two internet connections and want to route all 
outgoing smtp traffic (dst port=25) to one provider and the rest of the 
traffic - to the other provider. How can you do this without marking 
packets with iptables?

-- 
Alexei

Re: IPTables : How to force data coming from ethX being output by the same device

[Leonardo Rodrigues Magalhães]

Alexei Ustyuzhaninov escreveu:
>
> I don't think any routing may be done without iptables. A simple 
> example: you have two internet connections and want to route all 
> outgoing smtp traffic (dst port=25) to one provider and the rest of 
> the traffic - to the other provider. How can you do this without 
> marking packets with iptables?
>

    OK ..... but i have 2 internet connections and want some specific 
IPs (my servers, for example) to go out on link1 and all the other 
machines reaches internet through link2, then it can be done without 
iptables, with plain source routing rules.


-- 


	Atenciosamente / Sincerily,
	Leonardo Rodrigues
	Solutti Tecnologia
	http://www.solutti.com.br

	Minha armadilha de SPAM, NÃO mandem email
	gertrudes@solutti.com.br
	My SPAMTRAP, do not email it

Re: IPTables : How to force data coming from ethX being output by the same device

[Jan Engelhardt]

On Wednesday 2008-04-23 19:31, Leonardo Rodrigues Magalhães wrote:
> Alexei Ustyuzhaninov escreveu:
>>
>> I don't think any routing may be done without iptables. A simple example: you
>> have two internet connections and want to route all outgoing smtp traffic
>> (dst port=25) to one provider and the rest of the traffic - to the other
>> provider. How can you do this without marking packets with iptables?
>>
>
>   OK ..... but i have 2 internet connections and want some specific IPs (my
> servers, for example) to go out on link1 and all the other machines reaches
> internet through link2, then it can be done without iptables, with plain source
> routing rules.

Yes, but I seem to remember you wanted all packets originating from
eth0 to go back into eth0; you did not mention specific IP addresses :-)
Either way, quite the same complexity class.

Re: IPTables : How to force data coming from ethX being output by the same device

[Yves DUF]

Hello all.

Thanks for your multiples advices, I didn't dream such a reactivity.
Sorry if I've mistaken with iptables, but maybe you are all right, it
seems more advanced routing than iptables.

2008/4/23, Leonid Zeitlin <lz@csltd.com.ua>:
> Hi Yves,
>  I'm not sure I understand your problem completely, but sounds like your
>  situation is similar to the one described in Linux Advanced Routing and
>  Traffic Control HOWTO section 4.2 here:
>  http://lartc.org/howto/lartc.rpdb.multiple-links.html. Try to follow the
>  instructions in section 4.2.1 "Split access", this might be what you need.

Thanks for the link. Let me some time to understand and test this, and
I will say if it was the good answer.

Regards.
Yves

Re: IPTables : How to force data coming from ethX being output by the same device

[Alexei Ustyuzhaninov]

Leonardo Rodrigues Magalhães wrote:
> 
> 
> Alexei Ustyuzhaninov escreveu:
>>
>> I don't think any routing may be done without iptables. A simple 
>> example: you have two internet connections and want to route all 
>> outgoing smtp traffic (dst port=25) to one provider and the rest of 
>> the traffic - to the other provider. How can you do this without 
>> marking packets with iptables?
>>
> 
>    OK ..... but i have 2 internet connections and want some specific IPs 
> (my servers, for example) to go out on link1 and all the other machines 
> reaches internet through link2, then it can be done without iptables, 
> with plain source routing rules.

Yes, surely some routing cases (well, most of them in real life) maybe 
done with old good route command without any additional tools. But some 
special ones require iptables.

-- 
Alexei