LARTC - Mar 2007 - Mark on FTP passive traffic

Hi,

I use for a customer a Linux router/firewall with 1 internal interface 
connected to the LAN and 3 external interfaces connected to 3 different 
ISP. I use a kernel 2.6.17 with a routes patch from Julian Anastasov.

I mark outgoing FTP traffic for the routing.

With the rules below I do not have a problem with the active/normal FTP 
to connect on FTP server.

But the passive FTP does not pass because I do not know how to mark the 
related packets whose ports are negotiated in FTP session.

I quote only the rules for the internal interface and one of the 
external interfaces. The rules are the same ones for the three external 
interfaces.

# global rule for all traffic
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

# FTP rule
iptables -A FORWARD -i $INTERNAL_INTERFACE -o $EXTERNAL_INTERFACE1 -p 
tcp -s $INTERNAL_LAN --sport $UNPRIVPORTS --dport 21 -m state --state 
NEW -j ACCEPT

iptables -A OUTPUT -o $EXTERNAL_INTERFACE1 -p tcp -s $EXTERNAL_IP1 
--sport $UNPRIVPORTS --dport 21 -m state --state NEW -j ACCEPT


# FTP mark
iptables -t mangle -A FORWARD -o $EXTERNAL_INTERFACE1 -p tcp --dport 21 
-j MARK --set-mark 0x21
iptables -t mangle -A OUTPUT -o $EXTERNAL_INTERFACE1 -p tcp --dport 21 
-j MARK --set-mark 0x21
iptables -t mangle -A PREROUTING -i $INTERNAL_INTERFACE -p tcp --dport 
21 -j MARK --set-mark 0x21

iptables -t mangle -A FORWARD -o $EXTERNAL_INTERFACE1 -p tcp --dport 20 
-j MARK --set-mark 0x21
iptables -t mangle -A OUTPUT -o $EXTERNAL_INTERFACE1 -p tcp --dport 20 
-j MARK --set-mark 0x21
iptables -t mangle -A PREROUTING -i $INTERNAL_INTERFACE -p tcp --dport 
20 -j MARK --set-mark 0x21


Do you know how I can mark the related packets to the passive FTP?

Regards.
-- 
=============================================|              FRÉDÉRIC MASSOT     
|
|     http://www.juliana-multimedia.com      |
|   mailto:frederic@juliana-multimedia.com   |
===========================Debian=GNU/Linux===

On Fri, 09 Mar 2007 16:21:02 +0100
Frédéric Massot <frederic@juliana-multimedia.com> wrote:
> Hi,
> 
> I use for a customer a Linux router/firewall with 1 internal
> interface connected to the LAN and 3 external interfaces connected to
> 3 different ISP. I use a kernel 2.6.17 with a routes patch from
> Julian Anastasov.
> 
> I mark outgoing FTP traffic for the routing.
> 
> With the rules below I do not have a problem with the active/normal
> FTP to connect on FTP server.
> 
> But the passive FTP does not pass because I do not know how to mark
> the related packets whose ports are negotiated in FTP session.
> 
> I quote only the rules for the internal interface and one of the 
> external interfaces. The rules are the same ones for the three
> external interfaces.
> 
> # global rule for all traffic
> iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
> 
> # FTP rule
> iptables -A FORWARD -i $INTERNAL_INTERFACE -o $EXTERNAL_INTERFACE1 -p 
> tcp -s $INTERNAL_LAN --sport $UNPRIVPORTS --dport 21 -m state --state 
> NEW -j ACCEPT
> 
> iptables -A OUTPUT -o $EXTERNAL_INTERFACE1 -p tcp -s $EXTERNAL_IP1 
> --sport $UNPRIVPORTS --dport 21 -m state --state NEW -j ACCEPT
> 
> 
> # FTP mark
> iptables -t mangle -A FORWARD -o $EXTERNAL_INTERFACE1 -p tcp --dport
> 21 -j MARK --set-mark 0x21
> iptables -t mangle -A OUTPUT -o $EXTERNAL_INTERFACE1 -p tcp --dport
> 21 -j MARK --set-mark 0x21
> iptables -t mangle -A PREROUTING -i $INTERNAL_INTERFACE -p tcp
> --dport 21 -j MARK --set-mark 0x21
> 
> iptables -t mangle -A FORWARD -o $EXTERNAL_INTERFACE1 -p tcp --dport
> 20 -j MARK --set-mark 0x21
> iptables -t mangle -A OUTPUT -o $EXTERNAL_INTERFACE1 -p tcp --dport
> 20 -j MARK --set-mark 0x21
> iptables -t mangle -A PREROUTING -i $INTERNAL_INTERFACE -p tcp
> --dport 20 -j MARK --set-mark 0x21
> 
> 
> Do you know how I can mark the related packets to the passive FTP?
> 
> Regards.
Here''s what I''m using to mark ftp traffic for routing
purposes, then
I use the prerouting chain:

# ftp
iptables -t mangle -A PREROUTING -i eth0 -p tcp --sport 20 -j MARK --set-mark
1000
iptables -t mangle -A PREROUTING -i eth0 -p tcp --dport 20 -j MARK --set-mark
1000
iptables -t mangle -A PREROUTING -i eth0 -p tcp --sport 21 -j MARK --set-mark
1000
iptables -t mangle -A PREROUTING -i eth0 -p tcp --dport 21 -j MARK --set-mark
1000
iptables -t mangle -A PREROUTING -m helper --helper ftp -j MARK --set-mark 1000

With the use of the ftp_conntrack helper you can match all you ftp
traffic, even passive ftp.

I hope this can help you.

Rodolfo Brasnarof wrote:
> 
[...]
> Here''s what I''m using to mark ftp traffic for routing
purposes, then
> I use the prerouting chain:
> 
> # ftp
> iptables -t mangle -A PREROUTING -i eth0 -p tcp --sport 20 -j MARK
--set-mark 1000
> iptables -t mangle -A PREROUTING -i eth0 -p tcp --dport 20 -j MARK
--set-mark 1000
> iptables -t mangle -A PREROUTING -i eth0 -p tcp --sport 21 -j MARK
--set-mark 1000
> iptables -t mangle -A PREROUTING -i eth0 -p tcp --dport 21 -j MARK
--set-mark 1000
> iptables -t mangle -A PREROUTING -m helper --helper ftp -j MARK --set-mark
1000
> 
> With the use of the ftp_conntrack helper you can match all you ftp
> traffic, even passive ftp.
> 
> I hope this can help you.
Hi,

Thank you, it is really what was necessary for me.  :o)

Regards.
-- 
=============================================|              FRÉDÉRIC MASSOT     
|
|     http://www.juliana-multimedia.com      |
|   mailto:frederic@juliana-multimedia.com   |
===========================Debian=GNU/Linux===