Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
I am using Fedora Core-2 as my firewall with multiple IP addresses assigned to the external interface. One of those IPs ($EXT) is dedicated to the internal server ($INT) - all the traffic on that IP is DNATed to the internal server
I came accross the following problem when trying to give FTP access to the client on that internal server:
Client was instructed to use active mode ftp - client connects, authenticates and starts downloading the file. After few minutes connection is closed and download is terminated.
Through some logging i found out that during the download my firewall rejects traffic to $EXT on port 20 from the client which means for some reason the packets from the client are no longer considered to be part of the existing connection (from below you can see i DNAT all traffic on $EXT to $INT but for these particular packets firewall seems to ignore that).
I did further investigation and found out that client uses 2 proxies (both working through the same router though so have the same external IP) to perform the load balancing so i got a suspicion that source port of the client's request changes during the download if the packets are routed via different proxy(could not confirm this yet as was too late to ask the clients to run the tests today, will do that on monday) and my firewall no longer recognizes the packets as being related to established connection.
Now, how do i make my ftp still function in this situation? Is this possible at all with this type of client?
My firewall setup is:
1. DNAT all traffic from $EXT to $INT
2. SNAT all traffic from $INT behind $EXT
2. FORWARD all the traffic on port 21 from client's IP to $INT
3. FORWARD all the traffic from $INT client's IP on ports 20:21
4. FORWARD all the RELATED, ESTABLISHED traffic
Unfortunately i am not the linux guru, just trying to learn some bit that would help me to efficiently do my job.
Hope someone can help me to resolve this.
Thanks in advance.
Thank you for your reply but unfortunately that did not help. I ran further tests this morning and found out that only thing that gets changed during the communication is the TTL of the packets coming from the client - packets get dropped as soon as TTL changes. This is the fragment of the log file:
As you can see, client packet's TTL changes from 56 to 57 and immediately my firewall does not DNat that packet to 10.0.0.3 as it should (all the traffic to <ServersIP> is DNated to 10.0.0.3) and drop them.
Question is - what can i tell the client. Is this normal that TTL of the IP changes during the communication? If so, how can i configure my firewall to ignore that change?