On 02/08/2017 06:10 AM, Alex wrote: > I've specified > 'ftp_port 2121 intercept' and made squid intercept outgoing FTP > traffic according to the following rules: > iptables -t nat -A OUTPUT -p tcp -m owner --gid-owner squid -j ACCEPT > iptables -t nat -A OUTPUT -p tcp --dport 21 -j REDIRECT --to-port 2121 > 07.02.2017, 16:23, "Alex" <gozzy@xxxxxxxxx>: >> I thought that active mode will cause less problems, but it seems >> that what squid tries to do is illegal. As far as I understand, in >> active mode squid tries to connect to a client and spoofs source IP >> address. Since spoofing client IP addresses is common for many working Squid interception setups doing HTTP, it has to be technically possible (i.e., "legal" in your terminology). Unfortunately, I do not know enough low-level details to guide you further. Most likely, the FTP-specific Squid code facilitating IP spoofing is buggy or you are doing something wrong (or both). FWIW, IIRC, FTP interception code has worked for many folks. Let's hope that somebody with a working FTP interception setup speaks up. Alex. _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
