SLUG Mailing List Archives
[SLUG] transparent ftp-proxying
- To: "Slug@Slug. Org. Au" <slug@xxxxxxxxxxx>
- Subject: [SLUG] transparent ftp-proxying
- From: "Dave Kempe" <david@xxxxxxxxxxxxxxxxxx>
- Date: Tue Oct 24 07:45:21 2000
Apologies for the cross post from another list, but thought some sluggers
might be interested in this.
Thanks to this guy and the guys at Suse we can do transparent proxying of
ftp traffic. Even block allowed ftp connections. I have tried this software
and it works quite well. I haven't tried the transparent proxy bit.
From: mt@xxxxxxx [mailto:mt@xxxxxxx]
Sent: Tuesday, 24 October 2000 1:49 AM
Cc: Volker Wiegand; proxy-suite@xxxxxxxx
Subject: [proxy-suite] Re: ftp-proxy
On Sun, Oct 22, 2000 at 07:04:51PM -0700, Volker Wiegand wrote:
> I am currently a little bit overloaded, but I believe Marius can
> help you find the answer. Marius, would you be so kind as to
> answer Simon?
> Kind regards
> On Fri, 13 Oct 2000 STCassling@xxxxxxxxxxxxxxx wrote:
> > Hello Volker,
> > I realise you probably get many e-mail's but if you get them
> > time to reply I would greatly appreciate it. The requirement we have
> > is to proxy internal FTP clients to the Internet (where we can
> > therefore control what sites they can FTP to).
I plan to implement a direct support of destination control,
but at the moment it is not supported by the proxy itself.
> > I have tried to
> > configure the ftp-proxy software but am currently getting the
> > following error "TECH-ERR can't get peername for socket 0" - I have
I need more info to say anything about, i.e. the config file,
log / debug output.
> > looked through the proxy-suite archive lists and although the question
> > has been raised before there appears to be no answer, I have also
> > noticed in the lists reference to a file "TRANSPARENT_PROXY.txt" but
The transparent proxy version is not "official" at the moment.
You can get it from:
With this "transparent-version" you cann control the destinations
with ipchains. You simply redirect allowed destinations to the
proxy and deny all other...
For example, if your local network is 192.168.1.0/24 and the proxy
(= gateway) with the ftp-proxy is 192.168.1.254 you can do something
like that (a shell script):
ipchains -A input -s $LOCALNET -d $LOCAL_IP 21 -j REJECT $LOG
ipchains -A input -s ! $LOCALNET -d $LOCAL_IP 21 -j DENY $LOG
if test -f "$allow_dest" ; then
while read xdest xport ; do
test -z "$dest" && continue
test -z "$port" && port=21
ipchains -A input -s $LOCALNET -d $dest $port -j REDIRECT 21 $LOG
done < "$allow_dest"
echo "can not read file $allow_dest" 1>&2
ipchains -A input -s $LOCALNET -d 0/0 21 -j REJECT $LOG
ipchains -A input -s ! $LOCALNET -d 0/0 21 -j DENY $LOG
In /etc/proxy-suite/allowed-destinations you enter all ip's
(and optional also the port) your users can connect to via
# <ip-number/hostname> [port]
you may also set "AllowMagicUser no" in the proxy configuration
so the user can't override the destination...
> > there is no copy of that on my installation (version 7 with the latest
> > rpm update for ftp-proxy) - although I have found a version in German
> > on the web, which leads me on to my second question - am I using the
> > right tool for what I am trying to achieve or should I be using some
> > sort of ipchains/masquerading set-up etc. Please be aware I am not a
> > Unix/Linux expert but am a keen amateur trying to push Linux where
> > possible/safe into our work environment to gain greater acceptance of
> > the platform.
> > Many thanks for you time - again, any help or pointers would be
> > greatly appreciated.
> > Regards,
> > Simon Cassling
> Freundschaftlich / With kind regards
> Volker Wiegand Voice: +1-510-628-3380 ext 5029
> SuSE Inc. Fax: +1-510-628-3381
> 580 Second Street, Suite 210 Mobile: +1-510-333-9248
> Oakland, CA 94607 USA E-Mail: wiegand@xxxxxxxx
Marius Tomaschewski <mt@xxxxxxx>
SuSE GmbH, Hamburg --- SuSE Labs, Product Developement
PGP public key available: http://www.suse.de/~mt/mt.pgp
Fprint: EA 1F 92 75 1A F9 82 07 A1 28 DE 7A 32 E8 97 18