Matthieu Turpault
2003-Apr-16 13:03 UTC
Two lines and one ftp server: problem with iproute and routing
Hi list,
I try to install the following network:
/-----------------\
| Firewall 1 |
\-----------------/
___________________| |_________________
| 10.2.6.1 10.2.2.1 |
| eth1 |
| 10.2.6.11 |
/----------\ |
| Router 1 | |
\----------/ |
| 10.2.3.11 |
| eth0 |
|___________________ _______________|
| |
eth1 | | eth0
10.2.3.10 | | 10.2.2.10
/-----------------\
| Firewall 2 |
\-----------------/
| 10.2.4.10
| eth2
|
| eth1
| 10.2.4.12
/--------------\
| FTP Server |
\--------------/
- The default route of the firewall 2 is 10.2.2.10.
- All server have a Mandrake 8.2 with the kernel 2.4.18-6mdksecure except
Firewall 2 which have a kernel 2.4.19-16mdk
- All incoming request on device eth1 and eth0 of Firewall 2, port 21 are
redirected on 10.2.4.12
- All incoming request on device eth1 of Router 1 are redirected on
10.2.3.10
On router 1
* ftp 10.2.3.10 is OK
On firewall 1
* ftp 10.2.2.10 is OK
* ftp 10.2.6.11 is wrong:
When I sniff eth0 on Firewall2, I see the response
of ftp server with 10.2.3.10 source ip whereas my iprules and iproute
are
[root@firewall2 root]# ip rule list
0: from all lookup local
32764: from 10.2.2.10 lookup T2
32765: from 10.2.3.10 lookup T1
32766: from all lookup main
32767: from all lookup 253
[root@firewall2 root]# ip route list table T1
10.2.4.0/24 dev eth2 scope link
10.2.3.0/24 dev eth1 scope link
default via 10.2.3.11 dev eth1
[root@firewall2 root]# ip route list table T2
10.2.2.0/24 dev eth0 scope link
default via 10.2.2.1 dev eth0
[root@firewall2 root]# ip route list
10.2.4.0/24 dev eth2 scope link
10.2.2.0/24 dev eth0 scope link
10.2.3.0/24 dev eth1 scope link
127.0.0.0/8 dev lo scope link
default via 10.2.2.1 dev eth0
I know that I can solve the problem by adding a nIP address on the FTP
server and
connect all incoming request from eth1 to the IP1 and all request from
eth0 to
IP2 but I don''t want to apply this solution: in fact, I will have
tree
providers
and more than one server (http, smtp, ftp...)
Do you have any idea ?
Thanks in advance
------------------------------CONFIGURATION --------------------------------
Configuration of Firewall 2:
[root@firewall2 root]# ip address show
1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 brd 127.255.255.255 scope host lo
2: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100
link/ether 00:08:c7:ac:54:53 brd ff:ff:ff:ff:ff:ff
inet 10.2.2.10/24 brd 10.2.2.255 scope global eth0
3: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100
link/ether 00:20:18:29:82:74 brd ff:ff:ff:ff:ff:ff
inet 10.2.3.10/24 brd 10.2.3.255 scope global eth1
4: eth2: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100
link/ether 00:50:ba:0a:24:96 brd ff:ff:ff:ff:ff:ff
inet 10.2.4.10/24 brd 10.2.4.255 scope global eth2
[root@firewall2 root]# ip route list table local
broadcast 10.2.4.0 dev eth2 proto kernel scope link src 10.2.4.10
broadcast 10.2.2.0 dev eth0 proto kernel scope link src 10.2.2.10
broadcast 10.2.3.255 dev eth1 proto kernel scope link src 10.2.3.10
broadcast 127.255.255.255 dev lo proto kernel scope link src 127.0.0.1
local 10.2.3.10 dev eth1 proto kernel scope host src 10.2.3.10
broadcast 10.2.4.255 dev eth2 proto kernel scope link src 10.2.4.10
broadcast 10.2.3.0 dev eth1 proto kernel scope link src 10.2.3.10
broadcast 10.2.2.255 dev eth0 proto kernel scope link src 10.2.2.10
local 10.2.4.10 dev eth2 proto kernel scope host src 10.2.4.10
local 10.2.2.10 dev eth0 proto kernel scope host src 10.2.2.10
broadcast 127.0.0.0 dev lo proto kernel scope link src 127.0.0.1
local 127.0.0.1 dev lo proto kernel scope host src 127.0.0.1
local 127.0.0.0/8 dev lo proto kernel scope host src 127.0.0.1
[root@firewall2 root]# iptables-save
# Generated by iptables-save v1.2.6a on Mon Apr 14 13:36:50 2003
*mangle
:PREROUTING ACCEPT [1732:137673]
:INPUT ACCEPT [1640:123143]
:FORWARD ACCEPT [17:1078]
:OUTPUT ACCEPT [1460:128080]
:POSTROUTING ACCEPT [1483:130598]
COMMIT
# Completed on Mon Apr 14 13:36:50 2003
# Generated by iptables-save v1.2.6a on Mon Apr 14 13:36:50 2003
*nat
:PREROUTING ACCEPT [1845:216404]
:POSTROUTING ACCEPT [684:50816]
:OUTPUT ACCEPT [656:49208]
-A PREROUTING -i eth1 -p tcp -m tcp --dport 21 -j DNAT --to-destination
10.2.4.12
-A PREROUTING -i eth0 -p tcp -m tcp --dport 21 -j DNAT --to-destination
10.2.4.12
COMMIT
# Completed on Mon Apr 14 13:36:50 2003
# Generated by iptables-save v1.2.6a on Mon Apr 14 13:36:50 2003
*filter
:INPUT ACCEPT [10859:901121]
:FORWARD ACCEPT [164:9569]
:OUTPUT ACCEPT [9873:931838]
COMMIT
# Completed on Mon Apr 14 13:36:50 2003
------------------------------------------------------------------------
Configuration of Router 1
[root@router1 root]# ip address show
1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 brd 127.255.255.255 scope host lo
2: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100
link/ether 00:60:08:50:3a:4a brd ff:ff:ff:ff:ff:ff
inet 10.2.3.11/24 brd 10.2.3.255 scope global eth0
3: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100
link/ether 00:80:5f:19:fb:74 brd ff:ff:ff:ff:ff:ff
inet 10.2.6.11/24 brd 10.2.6.255 scope global eth1
[root@router1 root]# iptables-save
# Generated by iptables-save v1.2.5 on Mon Apr 14 13:38:45 2003
*nat
:PREROUTING ACCEPT [25:2349]
:POSTROUTING ACCEPT [336:21034]
:OUTPUT ACCEPT [332:20794]
-A PREROUTING -i eth1 -j DNAT --to-destination 10.2.3.10
COMMIT
# Completed on Mon Apr 14 13:38:45 2003
# Generated by iptables-save v1.2.5 on Mon Apr 14 13:38:45 2003
*filter
:INPUT ACCEPT [6011:907410]
:FORWARD ACCEPT [16:960]
:OUTPUT ACCEPT [5592:438525]
COMMIT
# Completed on Mon Apr 14 13:38:45 2003
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Possibly Parallel Threads
Wisdom of the Ancients
