Chained packet filter

Linux Advanced Routing and Traffic Control

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Dear Guru

I do not know if here is the most apropriated place to send this.
If it is not please send me some good directions.

I am trying to configure a FTP server behind two consecutives packet
filters:

Internet <--->  Filter 1  <-->  Filter 2  <--> FTP SERVER

At Filter 1 I have:

INET_IFACE=eth1
$IPTABLES -t nat -A PREROUTING -i $INET_IFACE -p TCP -d $STATIC_IP  \
      --dport 21 -j DNAT --to-destination 192.168.20.2
$IPTABLES -t nat -A PREROUTING -i $INET_IFACE -p TCP -d $STATIC_IP  \
      --dport 20 -j DNAT --to-destination 192.168.20.2


When I launch ftp at the client I can see the following output thru inner
ethernet card (Filter 1 <--> Filter 2):

# tcpdump -e -p -n -i eth0 host 200.231.48.43
User level filter, protocol ALL, datagram packet socket
tcpdump: listening on eth0
11:50:39.261845 0:0:0:0:0:0 0:6:5b:28:62:b2 ip 74: 200.231.48.43.1291 >
192.168.20.2.ftp: S 1376590181:1376590181(0) win 5840 <mss
1460,nop,nop,timestamp 31629423 0,nop,wscale 0> (DF)

180 packets received by filter

# arp -an
? (200.231.48.97) at 00:60:1D:03:7F:41 [ether] on eth1
? (192.168.30.2) at 00:50:DA:27:5B:41 [ether] on eth0

# route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref  Use  Iface
192.168.30.0    0.0.0.0         255.255.255.252 U     0      0      0  eth0
192.168.20.0    192.168.30.2    255.255.255.0   UG    0      0      0  eth0
0.0.0.0         200.231.48.97   0.0.0.0         UG    0      0      0  eth1

As one can also see, the destination IP address was correctly changed but
the destination ethernet address is 0:0:0:0:0:0 !!
I can't see this packet going out from Filter 2 to FTP server.
Shoudn't this frame have the destination ethernet address
00:50:DA:27:5B:41 which is the gateway for network 192.168.20.0??

What am I missing?

# uname -a
Linux gateway 2.4.10 #1 Wed Sep 26 17:52:16 BRT 2001 i686 unknown

Ethy H. Brito         /"\
InterNexo Ltda.       \ /  CAMPANHA DA FITA ASCII - CONTRA MAIL HTML
+55 (12) 3941-6860     X   ASCII RIBBON CAMPAIGN - AGAINST HTML MAIL
S.J.Campos - Brasil   / \

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
[Index of Archives]     [LARTC Home Page]     [Netfilter]     [Netfilter Development]     [Network Development]     [Bugtraq]     [GCC Help]     [Yosemite News]     [Linux Kernel]     [Fedora Users]
  Powered by Linux