Hello proxy-suite list, some things i don't understand to configure a transparent-proxy for ftp. The proxy has to redirect internel ftp requests to externel ftp server. The machine is a SuSe 2.2.19 kernel with SuSe 7.0 environment and marcs ipchains firewall 4.9 At time i use squid for ftp and http requests at port 3128 and a Proftp Server for the internal net on port 21 starting in inetd. Now i set up /etc/proxy-suite/ftp-proxy.conf and /usr/local/etc/proxy-suite/ftp-proxy.conf Do i have to setup both files? AllowTransProxy yes AllowMagicUser yes UseMagicChar % PortResetsPasv yes DestinationTransferMode passive Listen 172.16.2.5 #internal Router IP LogDestination deamon ServerType Standalone like the TransProxy-mini-Howto I renamed the startscript ./ftp-proxy/rcscript to /sbin/rcftp-proxy and make it executable first time after starting the error: TECH-ERR can't detach daemon comes up. After disabling proftp in inetd it was possible to start the proxy with /sbin/rcftp-proxy start and login localy. How can i configure my proftp to listen localy on port 21 and use the proxy for outgoing ftp demands? testing the proxy localy works well if i test it from a client with disabling proxy the client connect directly to the foreign ftp server, there is no entry in /var/log/messasges Why does the "transparent" doesn't work? Masquerading is done by the firewall, do i have to disable ftp-forwarding in FW_MASQ_MODULES= ? -- Best regards, Dietmar mailto:earthmate@gmx.net
On Thu, Mar 21, 2002 at 03:56:17PM +0100, Dietmar Strasdat wrote:
Hello proxy-suite list,
Hi!
some things i don't understand to configure a transparent-proxy for ftp. The proxy has to redirect internel ftp requests to externel ftp server.
All internal traffic to one external ftp-server ?? You have to setup transparent redirections via ipchains/iptables and set the DestinationAddress to the external ftp-server. Do not use the transproxy-Feature in the proxy config nor magic user.
The machine is a SuSe 2.2.19 kernel with SuSe 7.0 environment and marcs ipchains firewall 4.9
At time i use squid for ftp and http requests at port 3128 and a Proftp Server for the internal net on port 21 starting in inetd.
You have to use a different port for one of them.
Now i set up /etc/proxy-suite/ftp-proxy.conf and /usr/local/etc/proxy-suite/ftp-proxy.conf
Do i have to setup both files?
AllowTransProxy yes AllowMagicUser yes UseMagicChar % PortResetsPasv yes DestinationTransferMode passive Listen 172.16.2.5 #internal Router IP LogDestination deamon ServerType Standalone
like the TransProxy-mini-Howto
I renamed the startscript ./ftp-proxy/rcscript to /sbin/rcftp-proxy and make it executable
OK.
first time after starting the error:
TECH-ERR can't detach daemon
comes up. After disabling proftp in inetd it was possible to start the proxy with /sbin/rcftp-proxy start and login localy.
How can i configure my proftp to listen localy on port 21 and use the proxy for outgoing ftp demands?
IMHO proftpd does not support this - it is a server, not a client and it does no client requests at all.
testing the proxy localy works well
if i test it from a client with disabling proxy the client connect directly to the foreign ftp server, there is no entry in /var/log/messasges
Why does the "transparent" doesn't work?
Transparent proxying does not work for outgoing connections on the gateway but for incoming: client --> gateway --> internet | | (redirection) | |-> proxy --> if the requests comes to the gateway and are not directed to the gateway but to an other host, the kernel should redirect (acc. to your rules) them to the proxy running on the gateway and the proxy "reads" the destination the client wants to connect and connects to this destination. you can't start a client on the gateway itself and use the proxy in transparent more from there - it works only for clients "behind" the gateway.
Masquerading is done by the firewall, do i have to disable ftp-forwarding in FW_MASQ_MODULES= ?
Please draw a ascii picture of your network and how the
request should work.
I do not really understand what you want to configure.
Gruesse,
Marius Tomaschewski
Hello Marius, On Thursday, 21. March 2002 17:11, you wrote:
All internal traffic to one external ftp-server ??
All internal ftp traffic to --> internet over a "transparent" ftp proxy
How can i configure my proftp to listen localy on port 21 and use the proxy for outgoing ftp demands?
IMHO proftpd does not support this - it is a server, not a client and it does no client requests at all.
Ok, i ll try to configure the proftp on another port
Why does the "transparent" doesn't work?
Transparent proxying does not work for outgoing connections on the gateway but for incoming:
client --> gateway --> internet | | (redirection) | |-> proxy -->
if the requests comes to the gateway and are not directed to the gateway but to an other host, the kernel should redirect (acc. to your rules) them to the proxy running on the gateway and the proxy "reads" the destination the client wants to connect and connects to this destination.
Ok, i have to disable the masq module ftp in the firewall?
you can't start a client on the gateway itself and use the proxy in transparent more from there - it works only for clients "behind" the gateway.
understand, but this won't work here.
Masquerading is done by the firewall, do i have to disable ftp-forwarding in FW_MASQ_MODULES= ?
Please draw a ascii picture of your network and how the request should work.
I do not really understand what you want to configure.
client http proxy setting to --> gateway port 3128 --> internet ftp no proxy setting --> gateway port 21| ^ | | Trans-Proxy --| other protocols --> gateway masq --> internet if there are proxys for the other protocols available, i`ll try to configure it, step by step. The problem is that outgoing ftp demands aren`t going over the proxy, but directly over the gateway. I don´t know how to redirect ftp demands without modifying the clients to use a proxy. in var/log/messages are entrys about the local test: Mar 22 09:11:30 mserver ftp-child[6431]: USER-INF 'PASS XXXX' from 172.16.2.5 Mar 22 09:11:31 mserver ftp-child[6431]: USER-INF 'PWD' from 172.16.2.5 Mar 22 09:11:31 mserver ftp-child[6431]: USER-INF 'SYST' from 172.16.2.5 Mar 22 09:11:45 mserver ftp-child[6431]: USER-INF 'QUIT' from 172.16.2.5 but no entrys from a connect client --> outside ftp server like ftp.suse.com -- Best regards, Dietmar mailto:earthmate@gmx.net
Dietmar Strasdat wrote:
Hello Marius,
On Thursday, 21. March 2002 17:11, you wrote:
All internal traffic to one external ftp-server ??
All internal ftp traffic to --> internet over a "transparent" ftp proxy
How can i configure my proftp to listen localy on port 21 and use the proxy for outgoing ftp demands?
IMHO proftpd does not support this - it is a server, not a client and it does no client requests at all.
Ok, i ll try to configure the proftp on another port
Why does the "transparent" doesn't work?
Transparent proxying does not work for outgoing connections on the gateway but for incoming:
client --> gateway --> internet
| |
(redirection) | |-> proxy -->
if the requests comes to the gateway and are not directed to the gateway but to an other host, the kernel should redirect (acc. to your rules) them to the proxy running on the gateway and the proxy "reads" the destination the client wants to connect and connects to this destination.
Ok, i have to disable the masq module ftp in the firewall?
you can't start a client on the gateway itself and use the proxy in transparent more from there - it works only for clients "behind" the gateway.
understand, but this won't work here.
Masquerading is done by the firewall, do i have to disable ftp-forwarding in FW_MASQ_MODULES= ?
Please draw a ascii picture of your network and how the request should work.
I do not really understand what you want to configure.
client http proxy setting to --> gateway port 3128 --> internet ftp no proxy setting --> gateway port 21| ^ | | Trans-Proxy --| other protocols --> gateway masq --> internet
if there are proxys for the other protocols available, i`ll try to configure it, step by step.
The problem is that outgoing ftp demands aren`t going over the proxy, but directly over the gateway. I don´t know how to redirect ftp demands without modifying the clients to use a proxy. in var/log/messages are entrys about the local test:
Mar 22 09:11:30 mserver ftp-child[6431]: USER-INF 'PASS XXXX' from 172.16.2.5 Mar 22 09:11:31 mserver ftp-child[6431]: USER-INF 'PWD' from 172.16.2.5 Mar 22 09:11:31 mserver ftp-child[6431]: USER-INF 'SYST' from 172.16.2.5 Mar 22 09:11:45 mserver ftp-child[6431]: USER-INF 'QUIT' from 172.16.2.5
but no entrys from a connect client --> outside ftp server like ftp.suse.com
Hi, you can redirect it by setting the following: <--snap iptables -t nat -A PREROUTING -s <Local-Net> -d ! <Gateway-ip> -i <Local-Dev> -p tcp --dport 21 -j REDIRECT --to-port <proxy-port> snap--> Ciao ;-) Robert Rottscholl - DE
participants (3)
-
Dietmar Strasdat
-
Marius Tomaschewski
-
Robert Rottscholl