Re: IPTables : How to force data coming from ethX being output by the same device

Linux Netfilter discussions
 help / color / mirror / Atom feed

From: "Leonid Zeitlin" <lz@csltd.com.ua>
To: netfilter@vger.kernel.org
Subject: Re: IPTables : How to force data coming from ethX being output by the same device
Date: Wed, 23 Apr 2008 17:49:47 +0300	[thread overview]
Message-ID: <funiac$l5i$1@ger.gmane.org> (raw)
In-Reply-To: c4ecb9830804230703q3f3cc02doc03c34a293d6014c@mail.gmail.com

Hi Yves,
I'm not sure I understand your problem completely, but sounds like your 
situation is similar to the one described in Linux Advanced Routing and 
Traffic Control HOWTO section 4.2 here: 
http://lartc.org/howto/lartc.rpdb.multiple-links.html. Try to follow the 
instructions in section 4.2.1 "Split access", this might be what you need.

Thanks,
  Leonid


"Yves DUF" <yves.duf@gmail.com> ???????/???????? ? ???????? ?????????: 
news:c4ecb9830804230703q3f3cc02doc03c34a293d6014c@mail.gmail.com...
> Hello World.
>
> Not totally dumb with iptables (I know how to build a simple
> firewall), I'm far from being an expert. I got a quite simple need,
> but the more I try to build it, the less I understand how to do it :={
>
> ==============================
> Let me explain my configuration :
> ==============================
> I got a GNU/Linux server, with two Ethernet boards, for hosting on FTP 
> server.
> Here is a simplified diagram of my network :
>
>    FTP Server     <=>                Netasq FireWall Router
>    <=>       FTP client
>   _________                ________________________________
>  | eth0/ IP1a | _______ |  Dev 1
>       |                   _________
>  |                 |              |  + IP1b
>                 |                  |   Client    |
>  |                 |              |
>     Dev 3       |  ________  |  + IP3a    |
>  | eth1/ IP2a |________|  Dev 2                              + IP3b
>   |                  |_________|
>  | _________|              |  + IP2b
>          |
>                                  |________________________________|
>
> The 3 sub-networks IP1 IP2 and IP3 are different. All the routing are
> direct (no NAT/DNAT).
>
> Some others constraints:
> - I can not use two hosts for FTP server, neither another hardware
> - I can not use NAT/DNAT inside the Netasq Firewall.
>
> ==============================
> The issue :
> ==============================
> The FTP client from IP3a arrives to router IP3b. It redirect the
> packet to the good aimed wire (IP1a or IP1b). So the FTP server
> receive the connection from the good link.
> When the FTP server wants to answer, it aims IP3a. But it doesn't know
> which device to use (eth0 or eth1). So it use the default gateway (if
> that case let say eth0).
> The whole stuff works if I do ftp to IP1a. But when I do ftp IP2a, the
> answer comes back through IP1b. And the firewall blocks it because
> it's not an authorized transfer.
>
> ==============================
> The mighty solution :
> ==============================
> I think that iptables on the GNU/Linux FTP server would be a good
> solution, to do a sort of "ftp contracking". But I don't manage to
> write a simple rule as "All traffic that comes from ethX will output
> by ethX"
> Does somebody got ideas on this subject (iptables or whatever else)?
>
> Regards.
> Yves
> --
> To unsubscribe from this list: send the line "unsubscribe netfilter" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
>

next prev parent reply	other threads:[~2008-04-23 14:49 UTC|newest]

Thread overview: 14+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2008-04-23 14:03 IPTables : How to force data coming from ethX being output by the same device Yves DUF
2008-04-23 14:37 ` Leonardo Rodrigues Magalhães
2008-04-23 14:42   ` Jan Engelhardt
2008-04-23 14:51     ` Leonardo Rodrigues Magalhães
2008-04-23 15:17       ` Jan Engelhardt
2008-04-23 15:21         ` John covici
2008-04-23 16:12           ` Jan Engelhardt
2008-04-23 15:38         ` Leonardo Rodrigues Magalhães
2008-04-23 16:33           ` Alexei Ustyuzhaninov
2008-04-23 17:31             ` Leonardo Rodrigues Magalhães
2008-04-23 18:50               ` Jan Engelhardt
2008-04-24  4:38               ` Alexei Ustyuzhaninov
2008-04-23 14:49 ` Leonid Zeitlin [this message]
2008-04-23 19:06   ` Yves DUF

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to='funiac$l5i$1@ger.gmane.org' \
    --to=lz@csltd.com.ua \
    --cc=netfilter@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox