-   Linux - Security (
-   -   FTP with IPTables for client with load balancing (

Bug-bugga 10-07-2005 01:47 PM

FTP with IPTables for client with load balancing
I am using Fedora Core-2 as my firewall with multiple IP addresses assigned to the external interface. One of those IPs ($EXT) is dedicated to the internal server ($INT) - all the traffic on that IP is DNATed to the internal server
I came accross the following problem when trying to give FTP access to the client on that internal server:
Client was instructed to use active mode ftp - client connects, authenticates and starts downloading the file. After few minutes connection is closed and download is terminated.
Through some logging i found out that during the download my firewall rejects traffic to $EXT on port 20 from the client which means for some reason the packets from the client are no longer considered to be part of the existing connection (from below you can see i DNAT all traffic on $EXT to $INT but for these particular packets firewall seems to ignore that).
I did further investigation and found out that client uses 2 proxies (both working through the same router though so have the same external IP) to perform the load balancing so i got a suspicion that source port of the client's request changes during the download if the packets are routed via different proxy(could not confirm this yet as was too late to ask the clients to run the tests today, will do that on monday) and my firewall no longer recognizes the packets as being related to established connection.

Now, how do i make my ftp still function in this situation? Is this possible at all with this type of client?

My firewall setup is:

1. DNAT all traffic from $EXT to $INT
2. SNAT all traffic from $INT behind $EXT
2. FORWARD all the traffic on port 21 from client's IP to $INT
3. FORWARD all the traffic from $INT client's IP on ports 20:21

Unfortunately i am not the linux guru, just trying to learn some bit that would help me to efficiently do my job.
Hope someone can help me to resolve this.
Thanks in advance.

maxut 10-08-2005 06:06 AM

have u loaded the ftp_conntrack modules? it might help.
/sbin/modprobe ip_nat_ftp
/sbin/modprobe ip_conntrack_ftp

good luck.

Bug-bugga 10-10-2005 05:15 AM

Thank you for your reply but unfortunately that did not help. I ran further tests this morning and found out that only thing that gets changed during the communication is the TTL of the packets coming from the client - packets get dropped as soon as TTL changes. This is the fragment of the log file:

Oct 10 09:23:41 fedora-1 kernel: IN=eth3 OUT=eth1 SRC=<ClientsIP> DST= LEN=40 TOS=0x00 PREC=0x00 TTL=56 ID=22179 DF PROTO=TCP SPT=60010 DPT=20 WINDOW=15916 RES=0x00 ACK URGP=0
Oct 10 09:23:42 fedora-1 kernel: IN=eth3 OUT=eth1 SRC=<ClientsIP> DST= LEN=40 TOS=0x00 PREC=0x00 TTL=56 ID=22211 DF PROTO=TCP SPT=60010 DPT=20 WINDOW=17376 RES=0x00 ACK URGP=0
Oct 10 09:23:42 fedora-1 kernel: IN=eth1 OUT=eth3 SRC= DST=<ClientsIP> LEN=1500 TOS=0x00 PREC=0x00 TTL=127 ID=19634 DF PROTO=TCP SPT=20 DPT=60010 WINDOW=65535 RES=0x00 ACK URGP=0
Oct 10 09:23:42 fedora-1 kernel: IN=eth3 OUT= MAC=00:c0:49:a7:68:d3:00:90:d0:f0:43:dc:08:00 SRC=<ClientsIP> DST=<ServersIP> LEN=40 TOS=0x00 PREC=0x00 TTL=57 ID=22599 DF PROTO=TCP SPT=60010 DPT=20 WINDOW=1316 RES=0x00 ACK URGP=0 - this is the dropped packet

As you can see, client packet's TTL changes from 56 to 57 and immediately my firewall does not DNat that packet to as it should (all the traffic to <ServersIP> is DNated to and drop them.

Question is - what can i tell the client. Is this normal that TTL of the IP changes during the communication? If so, how can i configure my firewall to ignore that change?


All times are GMT -5. The time now is 01:11 PM.