FTP with IPTables for client with load balancing
I am using Fedora Core-2 as my firewall with multiple IP addresses assigned to the external interface. One of those IPs ($EXT) is dedicated to the internal server ($INT) - all the traffic on that IP is DNATed to the internal server
I came accross the following problem when trying to give FTP access to the client on that internal server:
Client was instructed to use active mode ftp - client connects, authenticates and starts downloading the file. After few minutes connection is closed and download is terminated.
Through some logging i found out that during the download my firewall rejects traffic to $EXT on port 20 from the client which means for some reason the packets from the client are no longer considered to be part of the existing connection (from below you can see i DNAT all traffic on $EXT to $INT but for these particular packets firewall seems to ignore that).
I did further investigation and found out that client uses 2 proxies (both working through the same router though so have the same external IP) to perform the load balancing so i got a suspicion that source port of the client's request changes during the download if the packets are routed via different proxy(could not confirm this yet as was too late to ask the clients to run the tests today, will do that on monday) and my firewall no longer recognizes the packets as being related to established connection.
Now, how do i make my ftp still function in this situation? Is this possible at all with this type of client?
My firewall setup is:
1. DNAT all traffic from $EXT to $INT
2. SNAT all traffic from $INT behind $EXT
2. FORWARD all the traffic on port 21 from client's IP to $INT
3. FORWARD all the traffic from $INT client's IP on ports 20:21
4. FORWARD all the RELATED, ESTABLISHED traffic
Unfortunately i am not the linux guru, just trying to learn some bit that would help me to efficiently do my job.
Hope someone can help me to resolve this.
Thanks in advance.
|