Mailinglist Archive: proxy-suite (4 mails)
| < Previous | Next > |
Re: [proxy-suite] Question about multiple ftp servers
- From: Marius Tomaschewski <mt@xxxxxxx>
- Date: Wed, 14 May 2003 16:59:59 +0000 (UTC)
- Message-id: <20030514165715.GF1853@xxxxxxx>
On Wed, May 14, 2003 at 09:17:02AM -0400, Brian.Harrell@xxxxxxxxxxxxxxx wrote:
> I have a question or looking for suggestions. For a while now we have had
> 1ftp server and using proxy suite to proxy it. Very simple to set up. Now I
> am at a lost when trying to add a ftp 2nd server. Can I have multiple
> DestinationAddress? any help will be very much appreciated.
No - the proxy has no direct suppport for multiple destinations
in inbound mode. But you can do it using transparent proxy:
AllowMagicUser no
AllowTransProxy yes
DestinationAddress default-ftp-server # optional
Of course, its limited because you have to be able to setup the
rules. You have lost, if you have to handle clients from internet
and you have only one official IP...
Its required to have the proxy on a gateway between the clients
and ftp-servers - for example:
CLIENT NET / INTERNET
|
proxy
/ \
/ \
ftp1 ftp2 ftpN
Here a sample Chain (you don't realy require an extra chain)
for iptables:
iptables -t nat -N ftp-pool
iptables -t nat -A ftp-pool -d ftp1-ip -j REDIRECT
iptables -t nat -A ftp-pool -d ftp2-ip -j REDIRECT
# [...]
iptables -t nat -A ftp-pool -j DROP
iptables -t nat -A PREROUTING -p tcp --dport 21 -j ftp-pool
The proxy reads the original destination the client wanted
from NAT tables (iptables, BSD nat and pf filter supported).
You can use DNS round-robin for ftp-server IPs if you want.
See also ftp-proxy/TransProxy-Mini-Howto.txt file.
> here is what my conf looks like
>
>
> [-Global-]
> ServerType standalone
> LogDestination /var/log/ftp-proxy.log
> Listen 127.0.0.1
> Listen xxx.xxx.xxx.xxx
> AllowTransProxy no
> AllowMagicUser yes
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Huh? MagicUser in "inbound" mode? I hope you know what you are
doing and you have setup your ip filter, etc correctly...
MagicUser allows the user to override the destination address
inside of the ftp USER command.
> UseMagicChar %
> PortResetsPasv yes
> DestinationTransferMode passive
> DestinationAddress xxx.xxx.xxx.xxx
Kind regards,
Marius Tomaschewski <mt@xxxxxxx>
--
SuSE Linux AG, Nürnberg -- Product Developement
PGP public key on: http://www.suse.de/~mt/mt.pgp
DF17 271A AD15 006A 5BB9 6C96 CA2F F3F7 373A 1CC0
> I have a question or looking for suggestions. For a while now we have had
> 1ftp server and using proxy suite to proxy it. Very simple to set up. Now I
> am at a lost when trying to add a ftp 2nd server. Can I have multiple
> DestinationAddress? any help will be very much appreciated.
No - the proxy has no direct suppport for multiple destinations
in inbound mode. But you can do it using transparent proxy:
AllowMagicUser no
AllowTransProxy yes
DestinationAddress default-ftp-server # optional
Of course, its limited because you have to be able to setup the
rules. You have lost, if you have to handle clients from internet
and you have only one official IP...
Its required to have the proxy on a gateway between the clients
and ftp-servers - for example:
CLIENT NET / INTERNET
|
proxy
/ \
/ \
ftp1 ftp2 ftpN
Here a sample Chain (you don't realy require an extra chain)
for iptables:
iptables -t nat -N ftp-pool
iptables -t nat -A ftp-pool -d ftp1-ip -j REDIRECT
iptables -t nat -A ftp-pool -d ftp2-ip -j REDIRECT
# [...]
iptables -t nat -A ftp-pool -j DROP
iptables -t nat -A PREROUTING -p tcp --dport 21 -j ftp-pool
The proxy reads the original destination the client wanted
from NAT tables (iptables, BSD nat and pf filter supported).
You can use DNS round-robin for ftp-server IPs if you want.
See also ftp-proxy/TransProxy-Mini-Howto.txt file.
> here is what my conf looks like
>
>
> [-Global-]
> ServerType standalone
> LogDestination /var/log/ftp-proxy.log
> Listen 127.0.0.1
> Listen xxx.xxx.xxx.xxx
> AllowTransProxy no
> AllowMagicUser yes
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Huh? MagicUser in "inbound" mode? I hope you know what you are
doing and you have setup your ip filter, etc correctly...
MagicUser allows the user to override the destination address
inside of the ftp USER command.
> UseMagicChar %
> PortResetsPasv yes
> DestinationTransferMode passive
> DestinationAddress xxx.xxx.xxx.xxx
Kind regards,
Marius Tomaschewski <mt@xxxxxxx>
--
SuSE Linux AG, Nürnberg -- Product Developement
PGP public key on: http://www.suse.de/~mt/mt.pgp
DF17 271A AD15 006A 5BB9 6C96 CA2F F3F7 373A 1CC0
| < Previous | Next > |