Tugger the SLUGger!SLUG Mailing List Archives

[SLUG] transparent ftp-proxying


Apologies for the cross post from another list, but thought some sluggers
might be interested in this.
Thanks to this guy and the guys at Suse we can do transparent proxying of
ftp traffic. Even block allowed ftp connections. I have tried this software
and it works quite well. I haven't tried the transparent proxy bit.


dave

-----Original Message-----
From: mt@xxxxxxx [mailto:mt@xxxxxxx]
Sent: Tuesday, 24 October 2000 1:49 AM
To: STCassling@xxxxxxxxxxxxxxx
Cc: Volker Wiegand; proxy-suite@xxxxxxxx
Subject: [proxy-suite] Re: ftp-proxy


On Sun, Oct 22, 2000 at 07:04:51PM -0700, Volker Wiegand wrote:
> Hi,

Hi!

> I am currently a little bit overloaded, but I believe Marius can
> help you find the answer. Marius, would you be so kind as to
> answer Simon?
>
> Kind regards
> Volker
>
>
>
> On Fri, 13 Oct 2000 STCassling@xxxxxxxxxxxxxxx wrote:
>
> > Hello Volker,
>
> > 	I realise you probably get many e-mail's but if you get them
> > time to reply I would greatly appreciate it. The requirement we have
> > is to proxy internal FTP clients to the Internet (where we can
> > therefore control what sites they can FTP to).

I plan to implement a direct support of destination control,
but at the moment it is not supported by the proxy itself.

> > I have tried to
> > configure the ftp-proxy software but am currently getting the
> > following error "TECH-ERR can't get peername for socket 0" - I have

I need more info to say anything about, i.e. the config file,
log / debug output.

> > looked through the proxy-suite archive lists and although the question
> > has been raised before there appears to be no answer, I have also
> > noticed in the lists reference to a file "TRANSPARENT_PROXY.txt" but

The transparent proxy version is not "official" at the moment.
You can get it from:

http://www.suse.de/~mt/proxy-suite/

5894d4c80888bcfa4cb2e345676dc69e  fwproxy-1.7tp3-0.i386.rpm
3522e255e0d8bf5f106def52246d0c49  fwproxy-1.7tp3-0.src.rpm


With this "transparent-version" you cann control the destinations
with ipchains. You simply redirect allowed destinations to the
proxy and deny all other...
For example, if your local network is 192.168.1.0/24 and the proxy
(= gateway) with the ftp-proxy is 192.168.1.254 you can do something
like that (a shell script):

allow_dest="/etc/proxy-suite/allowed-destinations"
LOCALNET="192.168.1.0/24"
LOCAL_IP="192.168.1.254"
LOG="-l"
ipchains -A input -s   $LOCALNET -d $LOCAL_IP 21 -j REJECT $LOG
ipchains -A input -s ! $LOCALNET -d $LOCAL_IP 21 -j DENY   $LOG
if test -f "$allow_dest" ; then
  while read xdest xport ; do
    dest=${xdest%%\#*}
    port=${xport%%\#*}
    test -z "$dest" && continue
    test -z "$port" && port=21
    ipchains -A input -s $LOCALNET -d $dest $port -j REDIRECT 21 $LOG
  done < "$allow_dest"
else
  echo "can not read file $allow_dest" 1>&2
fi
ipchains -A input -s   $LOCALNET -d 0/0 21 -j REJECT $LOG
ipchains -A input -s ! $LOCALNET -d 0/0 21 -j DENY   $LOG

In /etc/proxy-suite/allowed-destinations you enter all ip's
(and optional also the port) your users can connect to via
the proxy:

#
# <ip-number/hostname> [port]
#
ftp.suse.com
ftp.suse.de 21

you may also set "AllowMagicUser no" in the proxy configuration
so the user can't override the destination...

> > there is no copy of that on my installation (version 7 with the latest
> > rpm update for ftp-proxy) - although I have found a version in German
> > on the web, which leads me on to my second question - am I using the
> > right tool for what I am trying to achieve or should I be using some
> > sort of ipchains/masquerading set-up etc. Please be aware I am not a
> > Unix/Linux expert but am a keen amateur trying to push Linux where
> > possible/safe into our work environment to gain greater acceptance of
> > the platform.
> >
> > Many thanks for you time - again, any help or pointers would be
> > greatly appreciated.
> >
> > Regards,
> > Simon Cassling
> >
> >
>
> --
>  Freundschaftlich / With kind regards
>  Volker
>
> --
>  Volker Wiegand              Voice: +1-510-628-3380 ext 5029
>  SuSE Inc.                             Fax:  +1-510-628-3381
>  580 Second Street, Suite 210       Mobile:  +1-510-333-9248
>  Oakland, CA 94607 USA              E-Mail: wiegand@xxxxxxxx
>
>

--
Gruesse,
 Marius Tomaschewski <mt@xxxxxxx>
--
 SuSE GmbH, Hamburg  ---  SuSE Labs, Product Developement
 PGP public key available:  http://www.suse.de/~mt/mt.pgp
 Fprint: EA 1F 92 75 1A F9 82 07  A1 28 DE 7A 32 E8 97 18