Iptables and eth1:1

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Title: Iptables and eth1:1

Hi list,

I want to establish a active ftp connection from the internet to my FTPSERVER1 od FTPSERVER2.

Here is my config

               
                                           Internet
                                    |  
eth1(195.xx.xx.100) / eth1:1(195.xx.xx.101) / eth1:2(195.xx.xx.102)
                             Linux Box
                               eth0(192.168.100.1)
                                    |
                                         LAN   
  FTP SERVER 1(192.168.100.2)  FTPSERVER2(192.168.100.3)

# FTP for the FTPSERVER1
iptables -t nat -A PREROUTING -s 0.0.0.0/0 -d 195.xx.xx.101 -i eth1 -p tcp --dport 21 -m state --state NEW,ESTABLISHED -j DNAT --to 92.168.100.2 iptables -A FORWARD -s 0.0.0.0/0 -d 192.168.100.0/24 -p tcp --sport 1024:65535 --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A FORWARD -s 192.168.100.0/24 -d 0.0.0.0/0 -p tcp --sport 21 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT

# FTP Active back to client
iptables -t nat -A POSTROUTING -s 192.168.100.0/24 -d 0.0.0.0/0 -p tcp --sport 20 --dport 1024:65535 -m state --state NEW,ESTABLISHED,RELATED -j MASQUERADE iptables -A FORWARD -s 0.0.0.0/0 -d 192.168.100.0/24 -p tcp --sport 1024:65535 --dport 20 -m state --state ESTABLISHED -j ACCEPT

iptables -A FORWARD -s 192.168.101.0/24 -d 0.0.0.0/0 -p tcp --sport 20 --dport 1024:65535 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

And this ruleset for the seconf ftpserver too.

If try to connect from the internet to ip 195.xx.xx.101. the ftpserver1 will prompt me to log in. So the connection to port 21 seems to be working, but if i try to make a dir or ls, i´ve got no response. It seems to me, that the postrouting rule turns the sender ip adress not to the adress of eth1:1, from where the connection is started, but to the ip adress of eth1. an so the ftp client could not establish a data connection, because he don`t send a request to the adress of eth1.

Can anyone tell me what i have to do, so that iptables don´t touch to the ip adress to eth1 but to eth1:1

Best regards

Mit freundlichen Grüßen

Berger-EDV Systemberatungs GmbH | Martin Daemen
Dönhoffstr. 25                  | System-Engineer
42655 Solingen                  | <mailto:daemen.martin@bergersysteme.com>
http://www.bergersysteme.com    | Tel.: 0212/2681100  Fax: 0212/2681101

[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux