Re: Mark on FTP passive traffic

Linux Advanced Routing and Traffic Control

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Fri, 09 Mar 2007 16:21:02 +0100
Frédéric Massot <frederic@xxxxxxxxxxxxxxxxxxxxxx> wrote:

> Hi,
> 
> I use for a customer a Linux router/firewall with 1 internal
> interface connected to the LAN and 3 external interfaces connected to
> 3 different ISP. I use a kernel 2.6.17 with a routes patch from
> Julian Anastasov.
> 
> I mark outgoing FTP traffic for the routing.
> 
> With the rules below I do not have a problem with the active/normal
> FTP to connect on FTP server.
> 
> But the passive FTP does not pass because I do not know how to mark
> the related packets whose ports are negotiated in FTP session.
> 
> I quote only the rules for the internal interface and one of the 
> external interfaces. The rules are the same ones for the three
> external interfaces.
> 
> # global rule for all traffic
> iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
> 
> # FTP rule
> iptables -A FORWARD -i $INTERNAL_INTERFACE -o $EXTERNAL_INTERFACE1 -p 
> tcp -s $INTERNAL_LAN --sport $UNPRIVPORTS --dport 21 -m state --state 
> NEW -j ACCEPT
> 
> iptables -A OUTPUT -o $EXTERNAL_INTERFACE1 -p tcp -s $EXTERNAL_IP1 
> --sport $UNPRIVPORTS --dport 21 -m state --state NEW -j ACCEPT
> 
> 
> # FTP mark
> iptables -t mangle -A FORWARD -o $EXTERNAL_INTERFACE1 -p tcp --dport
> 21 -j MARK --set-mark 0x21
> iptables -t mangle -A OUTPUT -o $EXTERNAL_INTERFACE1 -p tcp --dport
> 21 -j MARK --set-mark 0x21
> iptables -t mangle -A PREROUTING -i $INTERNAL_INTERFACE -p tcp
> --dport 21 -j MARK --set-mark 0x21
> 
> iptables -t mangle -A FORWARD -o $EXTERNAL_INTERFACE1 -p tcp --dport
> 20 -j MARK --set-mark 0x21
> iptables -t mangle -A OUTPUT -o $EXTERNAL_INTERFACE1 -p tcp --dport
> 20 -j MARK --set-mark 0x21
> iptables -t mangle -A PREROUTING -i $INTERNAL_INTERFACE -p tcp
> --dport 20 -j MARK --set-mark 0x21
> 
> 
> Do you know how I can mark the related packets to the passive FTP?
> 
> Regards.

Here's what I'm using to mark ftp traffic for routing purposes, then
I use the prerouting chain:

# ftp
iptables -t mangle -A PREROUTING -i eth0 -p tcp --sport 20 -j MARK --set-mark 1000
iptables -t mangle -A PREROUTING -i eth0 -p tcp --dport 20 -j MARK --set-mark 1000
iptables -t mangle -A PREROUTING -i eth0 -p tcp --sport 21 -j MARK --set-mark 1000
iptables -t mangle -A PREROUTING -i eth0 -p tcp --dport 21 -j MARK --set-mark 1000
iptables -t mangle -A PREROUTING -m helper --helper ftp -j MARK --set-mark 1000

With the use of the ftp_conntrack helper you can match all you ftp
traffic, even passive ftp.

I hope this can help you.
_______________________________________________
LARTC mailing list
LARTC@xxxxxxxxxxxxxxx
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
[Index of Archives]     [LARTC Home Page]     [Netfilter]     [Netfilter Development]     [Network Development]     [Bugtraq]     [GCC Help]     [Yosemite News]     [Linux Kernel]     [Fedora Users]
  Powered by Linux