Hi,
I use for a customer a Linux router/firewall with 1 internal interface
connected to the LAN and 3 external interfaces connected to 3 different
ISP. I use a kernel 2.6.17 with a routes patch from Julian Anastasov.
I mark outgoing FTP traffic for the routing.
With the rules below I do not have a problem with the active/normal FTP
to connect on FTP server.
But the passive FTP does not pass because I do not know how to mark the
related packets whose ports are negotiated in FTP session.
I quote only the rules for the internal interface and one of the
external interfaces. The rules are the same ones for the three external
interfaces.
# global rule for all traffic
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
# FTP rule
iptables -A FORWARD -i $INTERNAL_INTERFACE -o $EXTERNAL_INTERFACE1 -p
tcp -s $INTERNAL_LAN --sport $UNPRIVPORTS --dport 21 -m state --state
NEW -j ACCEPT
iptables -A OUTPUT -o $EXTERNAL_INTERFACE1 -p tcp -s $EXTERNAL_IP1
--sport $UNPRIVPORTS --dport 21 -m state --state NEW -j ACCEPT
# FTP mark
iptables -t mangle -A FORWARD -o $EXTERNAL_INTERFACE1 -p tcp --dport 21
-j MARK --set-mark 0x21
iptables -t mangle -A OUTPUT -o $EXTERNAL_INTERFACE1 -p tcp --dport 21
-j MARK --set-mark 0x21
iptables -t mangle -A PREROUTING -i $INTERNAL_INTERFACE -p tcp --dport
21 -j MARK --set-mark 0x21
iptables -t mangle -A FORWARD -o $EXTERNAL_INTERFACE1 -p tcp --dport 20
-j MARK --set-mark 0x21
iptables -t mangle -A OUTPUT -o $EXTERNAL_INTERFACE1 -p tcp --dport 20
-j MARK --set-mark 0x21
iptables -t mangle -A PREROUTING -i $INTERNAL_INTERFACE -p tcp --dport
20 -j MARK --set-mark 0x21
Do you know how I can mark the related packets to the passive FTP?
Regards.
--
==============================================
| FRÉDÉRIC MASSOT |
| http://www.juliana-multimedia.com |
| mailto:frederic@xxxxxxxxxxxxxxxxxxxxxx |
===========================Debian=GNU/Linux===
_______________________________________________
LARTC mailing list
LARTC@xxxxxxxxxxxxxxx
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
