Welcome to the transparent proxy configuration of
jftpgw FTP proxy 0.13.5
Last update: Sat Jun 5 21:55:29 CEST 2004
Joachim Wieland
What the heck is a transparent proxy?
A transparent proxy is a proxy that is tansparent :-), i.e. one the user does not notice. Thus the user does not have to configure his programs, the programs do not have to support a proxy and so on... A special service like http or in our example ftp is redirected to a port a proxy listens on. Then this proxy program manages the connection.
What do I need to setup jftpgw as a a transparent proxy server
  • jftpgw v0.0.10 or higher on the proxy machine
  • you must be root on the proxy machine
  • the kernel must support packet redirecting without rewriting the target address (CONFIG_IP_TRANSPARENT_PROXY=y for Linux 2.2, it is in the netfilter code in 2.4)
  • the client machine must route all IP traffic through the proxy machine
  • a regular FTP program to transfer the files

How to setup jftpgw's transparent proxy support with Linux
First, of course, compile jftpgw in the normal fashion. Make sure that the bindport option is not on the standard port 21 but on some other. As of version 0.12.0 you have to explicitly set the option transparent-proxy to on in the configuration file.

If you're using netfilter (Kernel 2.4) see the section on netfilter support of jftpgw on this page

Now, for ipchains become root and (I assume you're you run jftpgw on the port 2370) issue the following command:

ipchains -A input -d 0/0 ftp -p tcp -j REDIRECT 2370
That's it. Now the proxy machine intercepts the TCP packets that go to any host on the FTP port and forwards them to the port 2370 on the proxy machine. There, jftpgw looks at the real destination address and connects to the ftp server there. Please note: In order to prevent the proxy from looping, limit the connections from your local proxy machine to a low number in the configuration file (option limit) or don't even allow the proxy machine to connect to itself by putting access deny into the from tag that contains the name of the local machine.
Looping may occur because with the transparent mode, the proxy looks at incoming packets where they should go to and opens a connection there. But what if you log in to the proxy itself? It opens a connection to itself and to itself and to itself...
netfilter support of jftpgw
First, make sure jftpgw is compiled with support for netfilter. You can do this by calling it with the -v parameter:
	jftpgw v0.0.12pre  -  without sftp support  -  netfilter support enabled
If you see instead a line saying
	jftpgw v0.0.12pre  -  without sftp support  -  without netfilter support
watch the configure script for the following line:
	checking for linux/netfilter_ipv4.h... (cached) yes
If jftpgw cannot find this header, netfilter support cannot be included.

The redirection rule for iptables is pretty much the same as the one for ipchains. I assume that is your private network and jftpgw is listening on port 2370 on the interface of the router)

iptables -t nat -A PREROUTING -p tcp -s --dport 21 -j DNAT \
(this is actually one line, it is indicated by the backslash at the end of the first line)
How to setup jftpgw's transparent proxy support with NetBSD
This section is written by Ken'ichi Fukamachi (fukachan at fml.org) and describes how to use transparent jftpgw by ip filter on NetBSD. Please note that this only applies to jftpgw 0.13.x.

You need to configure NetBSD in the following way:

Suppose jftpgw waits for incoming ftp connection at 10021/tcp on localhost. You need to change these variables in jftpgw.conf.

	dropprivileges		loggedin
	transparent-proxy	on
where $INTERNAL_INTERFACE_ADDRESS is the ipv4 address for the internal interface, for example,

For the port redirection, please customize /etc/rc.conf and /etc/ipnat.conf.

Firstly, edit /etc/rc.conf to enable ipfilter and ipnat.

Secondly, add the rule for the ftp redirection into /etc/ipnat.conf.
rdr ep0 port 21 -> port 10021 tcp
where "ep0" is the internal interface name. Please see ipnat.conf(5) for more details of ipnat rules.

Lastly, run the following rc.d scripts to reset ipfilter and ipnat functions.

 # /etc/rc.d/ipfilter start
 # /etc/rc.d/ipnat start

Congratulations. You can get transparent ftp proxy.

How to setup jftpgw's transparent proxy support with FreeBSD
Thanks for this section go to Simas Cepaitis (simas at 5ci dot lt) and describes how to use transparent jftpgw by ipfw on FreeBSD. Please note that this only applies to jftpgw 0.13.x.

For FreeBSD, if you use ipfw, you must have compiled in IPFIREWALL_FORWARD option in the kernel.

options         IPFIREWALL
options         IPFIREWALL_FORWARD

Then add these two lines into your firewall config:

ipfw add allow tcp from me to any 21
me here is a keyword, which matches all server's outside interfaces. Or if there is only one outside interface, it should look like
ipfw add allow tcp from $SERVER_IP to any 21
This rule is here to prevent infinite loops, which would be created by the next rule, if first is not present:
ipfw add fwd,2370 tcp from any to any 21
Of course, it can be changed like (but I don't really use this, because I have few class C networks and I don't want to fill up my ipfw configuration with rules like this):
ipfw add fwd,2370 tcp from $CLIENTIP to any 21
By the way, these rules must be directly in this order for ipfw.

Furthermore you'll have to enable ipfw in rc.conf :-)


Congratulations. You can get transparent ftp proxy.

You need transparent proxy support but want to use another FTP proxy?
Since jftpgw 0.0.10 final there is a new option called "transparent-forward". With this option, jftpgw acts as a transparent proxy but does not handle the connection alone. Instead, it gets the source, the destination, the remote user and the remote password and then passes them to another FTP proxy where it logs on with remoteuser@remotesite.com and sends the read password as the password for the remote site.
<< Previous: How To Use Next: The configuration >>

Webpages created by Joachim Wieland © 2000-2004
Layout by Thomas Schultz © 2000