ftp active mode conntracking with bridging

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

I am implementing a transparent proxy to handle active mode ftp and
so far have it working on a router with two ports but I am now trying to
get the same proxy to work on a bridge interface.

My bridge is setup as:

brctl addbr br0
brctl addif br0 eth1 eth2
ifconfig br0 10.0.0.27/24
echo 1 > /proc/sys/net/ipv4/ip_forward

Now to get the bridge packets to show up I do:

ebtables -t nat -A PREROUTING --logical-in br0 -p IPv4 --ip-proto tcp -j
redirect --redirect-target ACCEPT

This will redirect ALL tcp, including port 21 which is the ftp server port.

I also have an iptables rule:

iptables -t nat -A PREROUTING -p tcp -m physdev --physdev-in eth1 -j
REDIRECT --to-ports 9033

>From a client machine (IPAddr=10.0.0.31) I now try to ftp to the
ftp.gnu.org server (140.186.70.20).

My transparent proxy is listening on port 9033 and receives the expected
connection (according to conntrack -E):

[NEW] tcp      6 120 SYN_SENT src=10.0.0.31 dst=140.186.70.20 sport=1554
dport=21 [UNREPLIED] src=10.0.0.27 dst=10.0.0.31 sport=9033 dport=1554
[UPDATE] tcp      6 60 SYN_RECV src=10.0.0.31 dst=140.186.70.20 sport=1554
dport=21 src=10.0.0.27 dst=10.0.0.31 sport=9033 dport=1554
[UPDATE] tcp      6 432000 ESTABLISHED src=10.0.0.31 dst=140.186.70.20
sport=1554 dport=21 src=10.0.0.27 dst=10.0.0.31 sport=9033 dport=1554
[ASSURED]
[UPDATE] tcp      6 120 FIN_WAIT src=10.0.0.31 dst=140.186.70.20
sport=1554 dport=21 src=10.0.0.27 dst=10.0.0.31 sport=9033 dport=1554
[ASSURED]
[UPDATE] tcp      6 10 CLOSE src=10.0.0.31 dst=140.186.70.20 sport=1554
dport=21 src=10.0.0.27 dst=10.0.0.31 sport=9033 dport=1554 [ASSURED]

? a few seconds later:

[DESTROY] tcp      6 src=10.0.0.31 dst=140.186.70.20 sport=1554 dport=21
packets=7 bytes=332 src=10.0.0.27 dst=10.0.0.31 sport=9033 dport=1554
packets=11 bytes=1147

But it appears that the ftp conntrack couldn't detect the PORT command to
associate the active mode return connection. So a DIR command fails on the
ftp client.

I emabled debug printk's in ip_conntrack_ftp.c and it printed the psklen
message on line 330 for two packets. It appears the dataoffset calculation
may be incorrect for these bridged packets.

thanks!!!
-Jim.






--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux