[gentoo-user] Frox iptables ftp proxy

[gentoo-user] Frox iptables ftp proxy

[D.H.]

I'd like to set up an ftp proxy on my home firewall so I can scan for
viruses using clamd.  I found frox.  Which looks like it will do what I
want.  I've pretty much used the default install which makes frox listen
on 127.0.0.1:2121.  But, I'm not sure the firewall rules are working
right.

eth1 is the internal interface

iptables -A FORWARD -p tcp -i eth1 --destination-port 2121 \
     --destination 127.0.0.1 -j ACCEPT

iptables -t nat -A PREROUTING -p tcp -i eth1 --destination-port 21 \
     -j DNAT --to-destination 127.0.0.1:2121

Either that, or frox itself is having issues.  Any ideas?  While I'm at it, 
is there an alternative to frox?

Re: [gentoo-user] Frox iptables ftp proxy

[Daniel Iliev]

On Sun, 19 Apr 2009 14:02:38 -0400
"D.H." <derrickdb1@comcast.net> wrote:

> I'd like to set up an ftp proxy on my home firewall so I can scan for
> viruses using clamd.  I found frox.  Which looks like it will do what
> I want.  I've pretty much used the default install which makes frox
> listen on 127.0.0.1:2121.  But, I'm not sure the firewall rules are
> working right.
> 
> eth1 is the internal interface
> 
> iptables -A FORWARD -p tcp -i eth1 --destination-port 2121 \
>      --destination 127.0.0.1 -j ACCEPT
> 
> iptables -t nat -A PREROUTING -p tcp -i eth1 --destination-port 21 \
>      -j DNAT --to-destination 127.0.0.1:2121
> 
> Either that, or frox itself is having issues.  Any ideas?  While I'm
> at it, is there an alternative to frox?
> 
> 
> 

Hi,

I believe this schema won't work because "DNAT" target rewrites the
destination address in the IP packet headers. Therefore what frox
receives is a sequence of packets with destination set to its own
address. Try using the "REDIRECT" target which is supposed to rewrite
the port fields only.


-- 
Best regards,
Daniel