From: "Yves DUF" <yves.duf@gmail.com>
To: netfilter@vger.kernel.org
Subject: IPTables : How to force data coming from ethX being output by the same device
Date: Wed, 23 Apr 2008 16:03:59 +0200 [thread overview]
Message-ID: <c4ecb9830804230703q3f3cc02doc03c34a293d6014c@mail.gmail.com> (raw)
Hello World.
Not totally dumb with iptables (I know how to build a simple
firewall), I'm far from being an expert. I got a quite simple need,
but the more I try to build it, the less I understand how to do it :={
==============================
Let me explain my configuration :
==============================
I got a GNU/Linux server, with two Ethernet boards, for hosting on FTP server.
Here is a simplified diagram of my network :
FTP Server <=> Netasq FireWall Router
<=> FTP client
_________ ________________________________
| eth0/ IP1a | _______ | Dev 1
| _________
| | | + IP1b
| | Client |
| | |
Dev 3 | ________ | + IP3a |
| eth1/ IP2a |________| Dev 2 + IP3b
| |_________|
| _________| | + IP2b
|
|________________________________|
The 3 sub-networks IP1 IP2 and IP3 are different. All the routing are
direct (no NAT/DNAT).
Some others constraints:
- I can not use two hosts for FTP server, neither another hardware
- I can not use NAT/DNAT inside the Netasq Firewall.
==============================
The issue :
==============================
The FTP client from IP3a arrives to router IP3b. It redirect the
packet to the good aimed wire (IP1a or IP1b). So the FTP server
receive the connection from the good link.
When the FTP server wants to answer, it aims IP3a. But it doesn't know
which device to use (eth0 or eth1). So it use the default gateway (if
that case let say eth0).
The whole stuff works if I do ftp to IP1a. But when I do ftp IP2a, the
answer comes back through IP1b. And the firewall blocks it because
it's not an authorized transfer.
==============================
The mighty solution :
==============================
I think that iptables on the GNU/Linux FTP server would be a good
solution, to do a sort of "ftp contracking". But I don't manage to
write a simple rule as "All traffic that comes from ethX will output
by ethX"
Does somebody got ideas on this subject (iptables or whatever else)?
Regards.
Yves
next reply other threads:[~2008-04-23 14:03 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2008-04-23 14:03 Yves DUF [this message]
2008-04-23 14:37 ` IPTables : How to force data coming from ethX being output by the same device Leonardo Rodrigues Magalhães
2008-04-23 14:42 ` Jan Engelhardt
2008-04-23 14:51 ` Leonardo Rodrigues Magalhães
2008-04-23 15:17 ` Jan Engelhardt
2008-04-23 15:21 ` John covici
2008-04-23 16:12 ` Jan Engelhardt
2008-04-23 15:38 ` Leonardo Rodrigues Magalhães
2008-04-23 16:33 ` Alexei Ustyuzhaninov
2008-04-23 17:31 ` Leonardo Rodrigues Magalhães
2008-04-23 18:50 ` Jan Engelhardt
2008-04-24 4:38 ` Alexei Ustyuzhaninov
2008-04-23 14:49 ` Leonid Zeitlin
2008-04-23 19:06 ` Yves DUF
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=c4ecb9830804230703q3f3cc02doc03c34a293d6014c@mail.gmail.com \
--to=yves.duf@gmail.com \
--cc=netfilter@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox