|
|
| What the heck is a transparent proxy? |
|
A transparent proxy is a proxy that is tansparent :-), i.e. one the
user does not notice. Thus the user does not have to configure his
programs, the programs do not have to support a proxy and so on... A
special service like http or in our example ftp is redirected to a
port a proxy listens on. Then this proxy program manages the
connection.
|
|
| What do I need to setup jftpgw as a a transparent proxy server |
- jftpgw v0.0.10 or higher on the proxy machine
- you must be root on the proxy machine
- the kernel must support packet redirecting without rewriting the
target address (CONFIG_IP_TRANSPARENT_PROXY=y for Linux 2.2, it is
in the netfilter code in 2.4)
- the client machine must route all IP traffic through the proxy
machine
- a regular FTP program to transfer the files
|
|
| How to setup jftpgw's transparent proxy support with Linux |
|
First, of course, compile jftpgw in the normal fashion. Make sure
that the bindport option is not on the standard port 21
but on some other. As of version 0.12.0 you have to explicitly set
the option transparent-proxy to on in the
configuration file.
If you're using netfilter (Kernel 2.4) see the section on netfilter support of jftpgw on this page
Now, for ipchains become root and (I assume you're you
run jftpgw on the port 2370) issue the following command:
ipchains -A input -d 0/0 ftp -p tcp -j REDIRECT 2370
That's it. Now the proxy machine intercepts the TCP packets that go
to any host on the FTP port and forwards them to the port 2370 on
the proxy machine. There, jftpgw looks at the real destination
address and connects to the ftp server there.
Please note: In order to prevent the proxy from looping,
limit the connections from your local proxy machine to a low number
in the configuration file (option limit) or don't even allow
the proxy machine to connect to itself by putting access deny
into the from tag that contains the name of the local
machine.
Looping may occur because with the transparent mode, the proxy looks
at incoming packets where they should go to and opens a connection
there. But what if you log in to the proxy itself? It opens a
connection to itself and to itself and to itself...
|
|
| netfilter support of jftpgw |
First, make sure jftpgw is compiled with support for netfilter. You
can do this by calling it with the -v parameter:
jftpgw v0.0.12pre - without sftp support - netfilter support enabled
If you see instead a line saying
jftpgw v0.0.12pre - without sftp support - without netfilter support
watch the configure script for the following line:
checking for linux/netfilter_ipv4.h... (cached) yes
If jftpgw cannot find this header, netfilter support cannot be
included.
The redirection rule for iptables is pretty much the same as
the one for ipchains. I assume that 192.168.0.0/16 is your private
network and jftpgw is listening on port 2370 on the interface
192.168.0.1 of the router)
iptables -t nat -A PREROUTING -p tcp -s 192.168.0.0/16 --dport 21 -j DNAT \
--to 192.168.0.1:2370
(this is actually one line, it is indicated by the backslash at the
end of the first line)
|
|
| How to setup jftpgw's transparent proxy support with NetBSD |
|
This section is written by Ken'ichi Fukamachi (fukachan at fml.org) and
describes how to use transparent jftpgw by ip filter on NetBSD. Please note
that this only applies to jftpgw 0.13.x.
You need to configure NetBSD in the following way:
Suppose jftpgw waits for incoming ftp connection at 10021/tcp on
localhost. You need to change these variables in jftpgw.conf.
dropprivileges loggedin
transparent-proxy on
dataclientaddress $INTERNAL_INTERFACE_ADDRESS
listen 127.0.0.1:10021
where $INTERNAL_INTERFACE_ADDRESS is the ipv4 address for the internal
interface, for example, 192.168.1.1.
For the port redirection, please customize /etc/rc.conf and
/etc/ipnat.conf.
Firstly, edit /etc/rc.conf to enable ipfilter and ipnat.
ipfilter=YES
ipnat=YES
Secondly, add the rule for the ftp redirection into /etc/ipnat.conf.
rdr ep0 0.0.0.0/0 port 21 -> 127.0.0.1 port 10021 tcp
where "ep0" is the internal interface name.
Please see ipnat.conf(5) for more details of ipnat rules.
Lastly, run the following rc.d scripts to reset ipfilter and ipnat
functions.
# /etc/rc.d/ipfilter start
# /etc/rc.d/ipnat start
Congratulations. You can get transparent ftp proxy.
|
|
| How to setup jftpgw's transparent proxy support with FreeBSD |
|
Thanks for this section go to Simas Cepaitis (simas at 5ci dot lt) and
describes how to use transparent jftpgw by ipfw on FreeBSD. Please note
that this only applies to jftpgw 0.13.x.
For FreeBSD, if you use ipfw, you must have compiled in IPFIREWALL_FORWARD
option in the kernel.
options IPFIREWALL
options IPFIREWALL_FORWARD
Then add these two lines into your firewall config:
ipfw add allow tcp from me to any 21
me here is a keyword, which matches all server's outside interfaces.
Or if there is only one outside interface, it should look like
ipfw add allow tcp from $SERVER_IP to any 21
This rule is here to prevent infinite loops, which would
be created by the next rule, if first is not present:
ipfw add fwd 127.0.0.1,2370 tcp from any to any 21
Of course, it can be changed like (but I don't really use this, because I
have few class C networks and I don't want to fill up my ipfw configuration
with rules like this):
ipfw add fwd 127.0.0.1,2370 tcp from $CLIENTIP to any 21
By the way, these rules must be directly in this order for ipfw.
Furthermore you'll have to enable ipfw in rc.conf :-)
firewall_enable="YES"
firewall_script="/etc/rc.firewall.fwd"
Congratulations. You can get transparent ftp proxy.
|
|
| You need transparent proxy support but want to use another
FTP proxy? |
|
Since jftpgw 0.0.10 final there is a new option called
"transparent-forward".
With this option, jftpgw acts as a transparent proxy but does not
handle the connection alone. Instead, it gets the source, the
destination, the remote user and the remote password and then passes
them to another FTP proxy where it logs on with
remoteuser@remotesite.com and sends the read password as the
password for the remote site.
|
|
|
|