Hi all,

This is my first post in this forum. Iím trying to configure iptables to do SNAT but Iím facing problems with the FTP protocol, and I donít know how to solve itÖ

Iím using a CentOS 5 (with the original kernel and no update has been done) and my computer is directly connected to the internet. It has two output NICs with static addresses, letís say, for instance, that eth1 has IP1 and eth0 has IP2.

No internal NIC is present, so all the outgoing traffic is generated by the same computer, where iptables resides.

What I try to doÖ I want to use IP2 as source IP for all outgoing traffic concerning FTP and SMTP (both as client), and the rest of the traffic by means of IP1. If I can respect eth0:IP1 and eth1:IP2, itís even better, but not mandatory. The important point is the output IP.

Maybe itís nonsense to do that, but itís what I have to do

I use the following script to try to achieve these requirements:

#!/bin/sh

IPTABLES="iptables"
IP1 = "aaa.bbb.ccc.dd1" #IP for all traffic but SMTP and FTP
IP2 = "aaa.bbb.ccc.dd1" #IP for just SMTP and FTP


$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT


#
#
# Rule 0: source IP for output FTP and SMTP set to IP2
#
$IPTABLES -t nat -A POSTROUTING -p tcp -m tcp -m multiport --dports 21,25 -j SNAT --to-source $IP2
#
#
# Rule 1: source IP for all output traffic except FTP and SMTP set to IP1
#
$IPTABLES -t nat -N RTE_OTHER
$IPTABLES -t nat -A POSTROUTING -j RTE_OTHER
$IPTABLES -t nat -A RTE_OTHER -p tcp -m tcp -m multiport --dports 21,25 -j RETURN
$IPTABLES -t nat -A RTE_OTHER -j SNAT --to-source $IP1
#
#
# Rule 2: accept FTP data (active mode) for IP2
#
$IPTABLES -A FORWARD -i + -p tcp -m tcp -d $IP2 --dport 20 -m state --state NEW -j ACCEPT
$IPTABLES -A INPUT -i + -p tcp -m tcp -d $IP2 --dport 20 -m state --state NEW -j ACCEPT
#
#
# Rule 3: accept all outgoing traffic
#
$IPTABLES -A FORWARD -o + -s $IP2 -m state --state NEW -j ACCEPT
$IPTABLES -A FORWARD -o + -s $IP1 -m state --state NEW -j ACCEPT
$IPTABLES -A OUTPUT -o + -m state --state NEW -j ACCEPT
#
#
# Rule 4: accept all traffic concerning loopback
#
$IPTABLES -A INPUT -i lo -m state --state NEW -j ACCEPT
$IPTABLES -A OUTPUT -o lo -m state --state NEW -j ACCEPT
#
#
# Rule 5: reject policy
#
$IPTABLES -A OUTPUT -j DROP
$IPTABLES -A INPUT -j DROP
$IPTABLES -A FORWARD -j DROP
#
#
echo 1 > /proc/sys/net/ipv4/ip_forward

As you can see, I donít concentrate yet on the output NIC, just on the output source IP.

My problem is that it doesnít work (at least with FTP, I have not yet tried with SMTP) All FTP outgoing traffic has IP1 as source IP. However, if instead of using 21 and 25 is just use 22, it works fine.

Do you know where I made a mistake in my script?

The second question is if there is a way to make it work also for FTP passive mode.

And finally, to fully understand the linux networks, if iptables is not running, which output NIC is the chosen, the first one (eth0, in my case), randomly?

Thanks in advance!

Javier