Posted in Howto Linux Proxy Security

HOWTO : Setting up a transparent FTP proxy using frox

November 18, 2005 - 16 comments

Running a transparent FTP proxy is an easy way to control FTP connections made by people on your network (using ACL’s)
If you are already running Squid as a transparent (web) proxy, it cannot act as a transparent FTP proxy along, thus you have to use another tool for FTP proxying : frox will do the job

Installation & compilation

Grab the latest version of Frox at http://frox.sourceforge.net/
Compile the package the usual way..

The following files should be installed :

/etc/frox.conf
/usr/local/sbin/frox
/var/log/frox/frox-log
/var/run/frox.pid

/etc/frox.conf :
Listen 192.168.0.1
Port 2121
BindToDevice eth1 < -- depends on your config, should be the LAN NIC
ResolvLoadHack wontresolve.doesntexist.abc
User nobody
Group nobody
WorkingDir /usr/local/bin
DontChroot Yes
LogLevel 20
LogFile /var/log/frox/frox-log
XferLogging yes
PidFile /var/run/frox.pid
BounceDefend yes
PassivePorts 49152-65534
MaxForks 10
MaxForksPerHost 4
### Allow rules first, deny rules next
ACL Allow 192.168.0.2/255.255.255.255 - * 21 <-- this will allow 192.168.0.2 to access ANY FTP server (internal AND external)
ACL Allow 192.168.0.3/255.255.255.255 - 193.190.198.20 21 <-- this will allow 192.168.0.3 to access ftp.belnet.be server
ACL Allow 192.168.0.4/255.255.255.255 - 192.168.0.1 21 <-- this will allow 192.168.0.4 to access the internal server
ACL Deny 192.168.254.0/255.255.255.0 - * 21 <-- this will block anything else from the subdomain

Redhat/Fedora/CentOS init script

I made a pretty short init script to start frox as a service on RedHat based machines

Save the following script under /etc/init.d/frox :
### /etc/init.d/frox ###
#!/bin/bash
#
# Init file for frox (transparent ftp proxy)
#
# chkconfig: 345 96 50
# description: frox
FROX_BIN=/usr/local/sbin/frox
FROX_CONF=/etc/frox.conf
FROX_LOG=/var/log/frox/frox-log
FROX_PID=/var/run/frox.pid
case "$1" in
'start')
echo "Starting Frox...";
$FROX_BIN -f $FROX_CONF
;;
'stop')
echo "Stopping Frox...";
if [ -f $FROX_PID ]; then
kill `cat $FROX_PID`
rm $FROX_PID
else
echo "Frox not running";
fi
;;
'help')
echo "Usage: $0 { start | stop }"
exit 1
;;
esac
exit 0
### EOF ###

Type :
chkconfig --add /etc/init.d/frox
service frox start

Frox should start

Iptables configuration

Add the following line to /etc/sysconfig/iptables under NAT section
Anyone under 192.168.0.0/24 trying to access port 21 will be transparently redirected to frox, which will allow or deny the connection
-A PREROUTING -s 192.168.0.0/24 -p tcp -m tcp --dport 21 -j REDIRECT --to-ports 2121

Type : service iptables restart

Test your configuration

Telnet into your frox server and check out the logs using :
tail -f /var/log/frox/frox-log

If you want to lock down iptables, you'll run into problems : see http://www.wains.be/?p=81

Comments

prabir chakraborty

February 8, 2006 - 16:16

i am using fedora core 1
frox compiled
but ?
i have not found frox.conf any where in the machine

wains.be - Sébastien Wains homepage » Issues with Iptables and frox (ftp transparent proxy)

May 3, 2006 - 14:30

[...] If you set up a transparent ftp proxy using frox (as described here : http://www.wains.be/?p=46) along with iptables on your linux gateway, you’ll probably stumble open some issues… [...]

ilayaraja

April 22, 2008 - 14:41

Hi i have configured fron on my centos 5 box i am usinf filezilla and cute ftp as ftp client can u please tell me the proxy setting for that clent program

Sébastien Wains

April 22, 2008 - 20:24

the proxy is transparent, so you don’t need to set up anything particular in the client.

If you have troubles connecting to a FTP server, you may need to enable a ftp connection tracker for the port used by frox (see http://www.wains.be/index.php/2006/05/03/issues-with-iptables-and-frox-ftp-transparent-proxy/)

John Shaw-Miller

May 8, 2008 - 14:52

Hi Sebastian,

I have followed all the directions for frox, but I STILL cannot get it to work Transparently, non-transparent connections work, I have followed both this article and the IPTables hack, still nothing, any additional pointers/

Sébastien Wains

May 8, 2008 - 19:46

Someone has reported to me 2 days ago that the howto was working unless when connections are made by a web browser.. Apparently there’s something wrong in your config ?

John Shaw-Miller

May 8, 2008 - 21:51

Ah … I didnt see the web browser bit, thats part of the solution I need, I may have to look for other ways. Or leave the solution with Non Transparent (which is working perfectly – thanks)

ilham

June 18, 2008 - 8:59

i have install frox on redhat ent 3. but when i start the frox.log is :
ERROR: “bind: Cannot assign requested address” at line 56 of misc.c
Wed Jun 18 12:58:07 2008 frox[20536] Chrooted to /var/lib/frox
what this mean ? and how can i resolve the problem ?

Thanks

Sébastien Wains

June 18, 2008 - 20:42

You should check the network configuration and frox config. I’m sure it is trying to bind to a non existent interface or the IP address or port is already used.

.:thavinci:.

November 19, 2008 - 14:44

Frox doesnt work anymore…

A few years ago i noticed the issues, frox was configured correctly however it broke ftp comms for many clients.

Eventually it wasnt supported by IE or firefox, only wget still worked.

Looking for a replacement…

.:thavinci:.

November 19, 2008 - 14:47

Sébastien Wains: had a suggestion that i havent tried….

However im not using linux… Using FreeBSD

Kris

March 28, 2009 - 10:47

Hi,

Thanks for this howto!

But, I’m having the some problem like some others. Via a terminal I can connect and get a Listing on a FTP server. When I trie it via a browser or FileZilla, the connection gets established, but the listing fails.

Any idea what is going wrong? I have installed this on a Ubuntu 8.04 server edition.

Thanks!
Kris

Sebastien Wains

March 28, 2009 - 18:14

This post is a bit outdated.. i’ll test again on my test server and will let you know..

Kris

March 29, 2009 - 21:17

Hi,

That would be great!
Thanks!

Kris

mredloft

September 4, 2009 - 8:08

I tried this frox on 3 diffrent servers each running RHEL. I could success only on one server with kernel 2.6.x.. the other two are having kernel 2.4.x and 2.6.x. From the frox log file : the error messages are
[from 2.4.x] : Local caching not compiled in
closing session

[from 2.6.x] : unable to inint local cache
closing session

Failed to chroot
unable to make cache dir /var/cache/frox/frox.pid/cache
closing session

Here is how i did:
I.
root# ./configure –enable-http-cache –enable-local-cache –enable-configfile=/etc/frox.conf
root# make
root# make install

II. I didnt find frox.conf any where other than the initial directory where i extracted frox
So, i copied from that dir (/root/Desktop/frox-0.7.18/src/frox.conf) to /etc/

III. Here is how i creat frox user and cache

root# mkdir -p /var/cache/frox
root# groupadd frox
root# useradd -g frox -d /var/cache/frox -s /bin/false frox
root# chown frox:frox /var/cache/frox
root# chmod 700 /var/cache/frox

config file
Port 2121
ResolvLoadHack wontresolve.doesntexist.abc
User frox
Group frox
WorkingDir /var/cache/frox
DontChroot Yes
LogLevel 20
LogFile /var/log/frox.log
PidFile /var/cache/frox/frox.pid
BounceDefend yes
CacheModule local
CacheSize 400
CacheAll no
DoNTP yes
MaxForks 60
MaxForksPerHost 4
ACL Allow * – *

then i run /usr/local/sbin/frox. But unable to connect from client, and i ge the message as above. THe same procedure is done on the first machine, it was working.
What might be the problem pls…

Denis

June 3, 2010 - 14:52

If you use frox transparently with Filezilla, you will likely get errors because frox rewrites PASV/POST. It will refuse a passive response for an address on the same LAN. I’m getting this message “Server sent passive reply with unroutable address. Using server address instead.”. I’d be glad if someone has a solution for this.
I suppose the best way is to force the client to use an active connection and rewrite that to pasv on the frox side.

Trackback URI Comments RSS

Leave Comment

Please consider visiting the partners below if you enjoyed this article :

If this post saved you time and money, please consider checking my Amazon wishlist.

Before submitting, some rules :
- Is your comment related to the article ?
- You're having a problem ? Have you checked Google, other howtos, docs, manpages ?
- You're still having the problem ? Have you raised log verbosity, checked traces, ran tcpdump ?
- Have you checked your configuratoin for typo ?
Unless your comment is providing additional info or respect the rules above, DON'T comment.
If you don't understand what you are doing, I urge you to read the documentation, I'm not your free Level 1 helpdesk guy.