/* HINT: Search archives @ http://www.indyramp.com/masq/ before posting!
/* ALSO: Don't quote this header. It makes you look lame :-) */
Marcello Magnifico [fabbricadigitale] wrote:
> > it depends on what you mean. if you want to have three,
> > separate, distinct ftp servers that have nothing to do with
> > each other, you have to use different ports for each one and
> > port forward them separately. every client needs to know
> > which ports to connect to. and they'll get it wrong most of
> > the time so it's not worth bothering with this scheme.
>
> Hi,
> doesn't IP aliasing fit for this purpose? I tried that, with
> the main address as eth0, the first alias on eth0:0 and the second alias
> on eth0:1. The idea was to masq three FTP servers behind the same machine,
> along with some other stuff that needed three IP addresses.
yes. different port numbers or different addresses. it's
just that different addresses makes it harder (see below)
but it is the best way to go (different port numbers would
suck).
> Unfortunately, the first alias (portfw 20+21) works good aside
> the main address, while the second one doesn't. Any idea?
the reason is that even though incoming packets to any of
the 3 addresses will get port forwarded correctly, the
outgoing reply packets will all end up having the same
source address, that of eth0. needless to say, this will
confuse tcp/ip stacks who won't consider these reply
packets to have anything to do with any existing connection.
the solution is to use the iproute2 package to rewrite the
source address of the reply packets to that of the desired
"virtual" interface. you can do this by fwmarking the reply
packets with ipchains on their way in to the masquerading
host and then doing fwmark nat with the ip utility. read
the ip command reference that comes with the iproute2
package. pay particular attention to appendic C, page 50.
my firewall/nat script at fwup.org that claims to support
this "alias port forwarding" fiddle but i'm not able to
test the final version of the code. i've had negative
reports about it but without sufficient information to tell
if it's my fault or theirs. it should work fine if the
ftp clients are using passive mode but i'm not sure about
active mode. if the command channel comes in on eth0:1
but the data channel goes out on eth0, the ftp client might
not accept it. if so, you'd have to add some extra ip
commands to rewrite the source address of the outgoing data
channel packets as well. fwup won't do that for you.
and i've no idea what impact the ip_masq_ftp module might
have on all of this.
raf
_______________________________________________
Masq maillist - [EMAIL PROTECTED]
Admin requests can be handled at http://www.indyramp.com/masq-list/ --
THIS INCLUDES UNSUBSCRIBING!
or email to [EMAIL PROTECTED]
PLEASE read the HOWTO and search the archives before posting.
You can start your search at http://www.indyramp.com/masq/
Please keep general linux/unix/pc/internet questions off the list.
