How to retrieve original source address with FTP/NAT/TPROXY

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hello,

I have the following IPv4 network:

FTPClient <-----------------> Proxy <--------------> FTPServer.
     10.0.0.2          10.0.0.1   1.1.1.1        1.1.1.2

FTPClient connects to FTPServer in PASSIVE mode, meaning the FTPClient
initiates the data connection towards FTPServer. Proxy performs NAT in the POSTROUTING chain using the iptables MASQUERADE target. On Proxy, I use the iptables TPROXY target to redirect the FTP data connection towards a local socket.
Upon accept() on this socket, the address returned by accept() is 1.1.1.1, not the IP of the Client (10.0.0.2) as I expected. Using getpeername() also returns 1.1.1.1. For other TCP connections than FTP accept() or getpeername() returns 10.0.0.2.
I noticed this only occurs when using the NF_CONNTRACK_FTP and NF_NAT_FTP kernel modules. 

Note that I was able to retrieve the FTPClient IP on Proxy from
/proc/net/ip_conntrack. I also made a quick patch to add a SO_ORIGINAL_SRC socket option (similar to SO_ORIGINAL_DST) which allows to retrieve the FTPClient IP. Since this option does not exist yet, I am wondering if this is relevant to add such an option? 

Also, this does not occur in IPv6.

Is this behavior normal?
What is the rationale behind this?

Any help in understanding what happens would be much appreciated,
Gregory
(My apologies for initially sending this on the devel mailing list by mistake...) 

--

------------------------------
DISCLAIMER.
This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited. 
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux