I just set up a transparent ftp proxy using frox 0.7.6. Works pretty well, only state matching (iptables 1.2.5-58) for the connections between the client and frox doesn't work as I would have expected. Here are the rules that are necessary:
----------------------------------------------------------------------------
# Redirection to frox port
$PROG -t nat -A PREROUTING -p tcp -i br0 -s $INTRANET --sport 1024:
-d ! $INTRANET --dport 21 -j REDIRECT --to-ports 2121
# ftp request client to frox
$PROG -A INPUT -p tcp -i br0 -s $INTRANET --sport 1024: -d $INT
--dport 2121 -m state --state NEW,ESTABLISHED -j ACCEPT
$PROG -A OUTPUT -p tcp -s $INT --sport 2121 -o br0 -d $INTRANET
--dport 1024: ! --syn -m state --state ESTABLISHED -j ACCEPT
# as expected
# data channel frox to client, passive ftp
$PROG -A INPUT -p tcp -i br0 -s $INTRANET --sport 1024: -d $INT
--dport 1024: -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
$PROG -A OUTPUT -p tcp -s $INT --sport 1024: -o br0 -d $INTRANET
--dport 1024: -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
# would expect to need only ESTABLISHED,RELATED in the first line
# would expect to need only ESTABLISHED in the second line
# (didn't try NEW,ESTABLISHED without RELATED yet)
# data channel frox to client, active ftp
$PROG -A OUTPUT -p tcp -s $INT --sport 20 -o br0 -d $INTRANET --dport
1024: -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
$PROG -A INPUT -p tcp -i br0 -s $INTRANET --sport 1024: -d $INT
--dport 20 ! --syn -m state --state ESTABLISHED -j ACCEPT
# would expect to need only ESTABLISHED,RELATED in the first line
# ftp request frox to internet
$PROG -A OUTPUT -p tcp -s $EXT --sport 1024: -o eth2 -d 0/0 --dport
21 -m state --state NEW,ESTABLISHED -j ACCEPT
$PROG -A INPUT -p tcp -i eth2 -s 0/0 --sport 21 -d $EXT --dport
1024: ! --syn -m state --state ESTABLISHED -j ACCEPT
# data channel internet to frox, passive ftp
$PROG -A OUTPUT -p tcp -s $EXT --sport 1024: -o eth2 -d 0/0 --dport
1024: -m state --state ESTABLISHED,RELATED -j ACCEPT
$PROG -A INPUT -p tcp -i eth2 -s 0/0 --sport 1024: -d $EXT --dport
1024: ! --syn -m state --state ESTABLISHED -j ACCEPT
## data channel internet to frox, active ftp
#$PROG -A INPUT -p tcp -i eth2 -s 0/0 --sport 20 -d $EXT --dport
1024: -m state --state ESTABLISHED,RELATED -j ACCEPT
#$PROG -A OUTPUT -p tcp -s $EXT --sport 1024: -o eth2 -d 0/0 --dport
20 ! --syn -m state --state ESTABLISHED -j ACCEPT
----------------------------------------------------------------------------
(You might wonder about the device br0: frox works with bridging! .-)))
The state matching rules for the "external" connections to the internet work as expected. But for the "internal" data connections between frox and the clients, frox always needs to build a NEW data connection instead of a RELATED one. Since this is only for the internal connections, not for the external ones, I have the feeling that this might be due to frox. (Didn't find any frox mailing list; does anybody know one?) Or is there any problem with ip_conntrack_ftp for a ftp server? Perhaps somebody has any better clue.
Greetings,
Dieter
