RE: netfilter forwarding to FTP gateway

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Nice description, but one piece of info's required.

If you want transparent control of services, you MUST have control of
all gateways. If 172.16.16.0/22 has anotehr gateway besides the firewall
your talking about, you need to perform the following:

# 172.16.16.0/22 router (GATEWAY2)
ip route add 172.16.11.237/32 via ${GATEWAY1_NET16} dev ${IF_NET16}
iptables -t nat -A PREROUTING -p tcp -s 172.16.0.0/16 --dport 21 -j DNAT
--to 172.16.11.237:2370
iptables -t nat -A POSTROUTING -d 172.16.11.237 -p tcp --dport 2370 -j
SNAT --to ${GATEWAY2_NET16}

# 172.16.8.0/22 router (GATEWAY1)
# Theoretically these rules don't need to exist since hosts on the
subnet should never be required to hit the firewall first.
iptables -t nat -A PREROUTING -p tcp -s 172.16.0.0/16 --dport 21 -j DNAT
--to 172.16.11.237:2370
iptables -t nat -A POSTROUTING -d 172.16.11.237 -p tcp --dport 2370 -j
SNAT --to ${GATEWAY1_NET16}

If you don't have access to GATEWAY2, you're hooped. You need channel
control to get it working.

If there isn't gateway2, then just use the rules from GATEWAY1. The SNAT
rule is just a sanity check to make sure the routes are sane. If there
aren't any other routers in the network, they probably aren't needed.



> I also configure point to point routes to the specific FTP sites using
> 172.16.11.237 as the gateway, which appears to work ok for systems on
> the same subnet (172.16.8.0/22). But Microsoft's desktop OSs do not
> let you specify gateways outside the subnet of the client, therefore,
> clients on the 172.16.16.0/22 subnet cannot use the transparent FTP
> proxy. 
> 
> My thought was to put another Linux box with a single interface on the
> 172.16.16 subnet, use it as the gateway to the downstream clients, and
> have it forward all packets for port 21 to the machine on the other
> subnet. But I'm a bit confused on how to do this.
> 
> Suggestions or references to tutorials/faqs/etc would be appreciated.
> 
> Thanks in advance
> 
> Sean McLinden
> Allegheny County Health Department



[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux