date: 2005-11-18 19:01:29+00:00

'HOWTO : Setting up a transparent FTP proxy using frox'

categories: - Howto - Linux - Proxy - Security

Running a transparent FTP proxy is an easy way to control FTP connections made by people on your network (using ACL's) If you are already running Squid as a transparent (web) proxy, it cannot act as a transparent FTP proxy along, thus you have to use another tool for FTP proxying : frox will do the job

Installation & compilation

Grab the latest version of Frox at Compile the package the usual way..

The following files should be installed :

/etc/frox.conf /usr/local/sbin/frox /var/log/frox/frox-log /var/run/

/etc/frox.conf : `Listen Port 2121 BindToDevice eth1 < -- depends on your config, should be the LAN NIC ResolvLoadHack User nobody Group nobody WorkingDir /usr/local/bin DontChroot Yes LogLevel 20 LogFile /var/log/frox/frox-log XferLogging yes PidFile /var/run/ BounceDefend yes PassivePorts 49152-65534 MaxForks 10 MaxForksPerHost 4

Allow rules first, deny rules next

ACL Allow - * 21 <-- this will allow to access ANY FTP server (internal AND external) ACL Allow - 21 <-- this will allow to access server ACL Allow - 21 <-- this will allow to access the internal server ACL Deny - * 21 <-- this will block anything else from the subdomain`

Redhat/Fedora/CentOS init script

I made a pretty short init script to start frox as a service on RedHat based machines

Save the following script under /etc/init.d/frox : ``### /etc/init.d/frox ###



Init file for frox (transparent ftp proxy)


chkconfig: 345 96 50

description: frox

FROX_BIN=/usr/local/sbin/frox FROX_CONF=/etc/frox.conf FROX_LOG=/var/log/frox/frox-log FROX_PID=/var/run/ case "$1" in 'start') echo "Starting Frox..."; $FROX_BIN -f $FROX_CONF ;; 'stop') echo "Stopping Frox..."; if [ -f $FROX_PID ]; then kill cat $FROX_PID rm $FROX_PID else echo "Frox not running"; fi ;; 'help') echo "Usage: $0 { start | stop }" exit 1 ;; esac exit 0

EOF ###`

Type : chkconfig --add /etc/init.d/frox service frox start

Frox should start

Iptables configuration

Add the following line to /etc/sysconfig/iptables under NAT section Anyone under trying to access port 21 will be transparently redirected to frox, which will allow or deny the connection -A PREROUTING -s -p tcp -m tcp --dport 21 -j REDIRECT --to-ports 2121

Type : service iptables restart

Test your configuration

Telnet into your frox server and check out the logs using : tail -f /var/log/frox/frox-log

If you want to lock down iptables, you'll run into problems : see