Are there working ftp proxy servers?
I want to place a proxy host between the ftp server and the client, so that the client does not know the real address of the ftp server.
The ftp protocol with its passive mode does not allow you to simply proxy traffic. You need some special ftp proxy server that will intercept the ftp server packets and replace the address and ports in them for a passive connection.
Is there such an ftp proxy server?
I have a debian system, I tried installing and running ftp-proxy, but it doesn't works at all. Always writes:
Dec 22 04:32:42 host.local systemd[1]: Starting LSB: Launch ftp-proxy...
Dec 22 04:32:42 host.local ftp-proxy[6930]: Starting FTP-Proxy: ftp-proxydisabled. ... (warning).
Dec 22 04:32:42 host.local systemd[1]: Started LSB: Launch ftp-proxy.
2 answers
I solved the problem for myself like this: I did traffic proxying via nat, and in order for passive connections to work normally, I specified the parameter MasqueradeAddress in the ftp server config proftpd.
Full instructions:
Connect to the host where the ftp server will be located, install the ftp server proftpd:
apt install -y proftpd
Creating a config /etc/proftpd/conf.d/local.conf with the following content:
PassivePorts 7010 7019
MasqueradeAddress айпи_прокси_хоста
Where 7010 7019 is the port range for passive mode, and айпи_прокси_хоста you need to replace the ip proxy of the host, you can use a domain name.
Reloading the service proftpd:
service proftpd restart
We connect to the proxy host and create rules for proxying:
iptables -t nat -A PREROUTING -p tcp --dport 2121 -j DNAT --to-destination айпи_ftp_сервера:21
iptables -t nat -A PREROUTING -p tcp --dport 7010:7019 -j DNAT --to-destination айпи_ftp_сервера:7010-7019
iptables -t nat -A POSTROUTING -p tcp --dport 7010:7019 -j SNAT --to-source айпи_прокси_хоста
iptables -t nat -A POSTROUTING -p tcp --dport 21 -j SNAT --to-source айпи_прокси_хоста
Where айпи_ftp_сервера should be replaced with the IP of the host with the ftp server, and айпи_прокси_хоста you need to replace the host proxy with the ip address.
Done, so proxying will work. You will be able to connect via the proxy host at айпи_прокси_хоста:2121 and the connection will be redirected to айпи_ftp_сервера:21. The passive mode ports will also work correctly proxied.
The proxy host address from the MasqueradeAddress parameter will be sent by the ftp server to establish passive mode connections, which will completely hide the real IP of the ftp server from the client.
But this method has 2 disadvantages:
- With this configuration, it will not be possible to connect to the ftp server directly. The connection will only be possible through the proxy host.
- If you want to use a proxy host for proxying for multiple ftp servers, you will have to create a unique range of ports for the passive mode for each of the ftp servers, so that they do not overlap in the iptables nat rules.
With the ftp server vsftp, you can also do this, there is a setting pasv_address, which is an alternative to setting MasqueradeAddress from proftpd.
Would you like to try Squid? I quote from the Wiki программный пакет, реализующий функцию кэширующего прокси-сервера для протоколов HTTP, FTP, Gopher и (в случае соответствующих настроек) HTTPS. In the settings you write something like:
acl Safe_ports port 21 # ftp acl CONNECT method CONNECT http_access deny !Safe_ports acl ftp proto FTP http_access allow ftp
I want to place a proxy host between the ftp server and the client, so that the client does not know the real address of the ftp server.
See the help for configuring Squid