We run a virtualization server on a server in a datacenter (for example Proxmox VE), we only have 1 public IP available.
We run web servers on 2 different virtual machines inside that VM host. We want both web servers to be accessible through the public IP on port 80.

We will use the Squid Proxy to act as a “reverse proxy” (http://en.wikipedia.org/wiki/Reverse_proxy).
Squid will relay the requests to the destination depending on the hostname requested.

The machines :

Virtualization server (VM host)/Squid server : Public IP 10.20.30.40 – bridged LAN IP 172.16.5.97/255.255.0.0
VM1 : bridged LAN IP 172.16.100.25/255.255.0.0 – Hostname example.org
VM2 : bridged LAN IP 172.16.100.122/255.255.0.0 – Hostname example.net

On your client computer (optional if you already have domains) :

Edit /etc/hosts and add :

10.20.30.40 example.org
10.20.30.40 example.net

On VM1 and VM2 :

apt-get install lighttpd (or whatever web server you like)

Edit /var/www/index.ligtthpd.html and replace the content of the file by “VM1″ on VM1 and “VM2″ on VM2.

On the VM host :

If Apache listens on port tcp/80, disable it by editing /etc/apache2/ports.conf and removing or commenting “Listen 80″.

Install Squid :

apt-get install squid

Edit /etc/squid/squid.conf and find the http_port section, and add “http_port 80 vhost vport” :

http_port 3128
http_port 80 vhost vport

Then add the following section :

cache_peer 172.16.100.25 parent 80 0 no-query originserver name=server1
cache_peer_domain server1 example.org
cache_peer 172.16.100.122 parent 80 0 no-query originserver name=server2
cache_peer_domain server2 example.net

And then add the following ACL for our domains :

acl valid_domains dstdomain .example.org
acl valid_domains dstdomain .example.net

Allow requests to our domains by adding “http_access allow valid_domains” just before the “deny all” rule (at the end of ACL’s) :

http_access allow valid_domains
http_access deny all

Restart Squid :

/etc/init.d/squid restart

Back on your computer :

Make a request on example.net or .org, you should either see VM1 or VM2 displayed in your browser depending on the hostname requested.

The following options required for transparent proxy are no longer available under Squid 2.6 :

httpd_accel_host virtual
httpd_accel_port 80
httpd_accel_with_proxy on
httpd_accel_uses_host_header on

The new option under Squid 2.6 is the much simpler :

http_port 8080 transparent

You just need to append “transparent” to the http_port option line.

If you upgrade to Squid 2.6 and don’t update your config file you should get the following in the logs :

messages:Oct 27 13:02:08 x squid: parseConfigFile: line 51 unrecognized: 'httpd_accel_host virtual'
messages:Oct 27 13:02:08 x squid: parseConfigFile: line 52 unrecognized: 'httpd_accel_port 80'
messages:Oct 27 13:02:08 x squid: parseConfigFile: line 53 unrecognized: 'httpd_accel_with_proxy on'
messages:Oct 27 13:02:08 x squid: parseConfigFile: line 54 unrecognized: 'httpd_accel_uses_host_header on'

socket: (13) Permission denied

while trying to connect to the cache manager of Squid using cachemgr.cgi, it probably means SElinux is enabled and is preventing cgi files from making TCP connections.

Quick and dirty fix : disabling SElinux

Edit /etc/sysconfig/selinux

Change the value SELINUX to “disabled”

Clean fix : make a rule in SElinux to allow the connection

I don’t know much about SElinux yet, so if someone feels like pointing me to the right direction or submitting something, it is welcomed

/etc/squid/squid.conf :

### We want to block IE, but some sites (grr) are only working under IE
### so we put up a list of safe URL for Internet Explorer in the following file
acl safe_url_for_IE            url_regex -i            "/etc/squid/ACL/safe_url"

### The ACL for the IE user-agent
acl internet_explorer browser MSIE

### The world
acl all         src 0.0.0.0/0.0.0.0

### Our network
acl intranet        src 192.168.1.0/24

### Let's say we still want a machine in the network to use IE
### (like a guest users not having an alternative web browser installed)
### I'm personally allowing IE for the dynamic DHCP clients at work
acl ie_allowed       src 192.168.1.100/32

### First, we are allowing the IE-machine here
http_access allow ie_allowed internet_explorer

### Secondly, we are denying Internet Explorer,
### except for the "safe URL" list that is still allowed.
http_access deny internet_explorer !safe_url_for_IE

### Now, after the restrictions, we are allowing our network.
http_access allow intranet

### And finally blocking the rest of the world.
http_access deny all

The safe URL ACL file (/etc/squid/ACL/safe_url) looks like this :

http://.*\.site1.be/.*

http://.*\.site3.be/.*

If you have any useful tips or rules, please share !

We will use these tools : Squid + ClamAV + a patched version of DansGuardian

The clamav packages provided are now outdated, I’m going to build an updated version as soon as I can

Squid : www.squid-cache.org
ClamAV : www.clamav.net
DansGuardian : dansguardian.org
DansGuardian Antivirus plugin : http://www.harvest.com.br/asp/afn/dg.nsf

You can download squid from the default CentOS repository.
I’ll consider you already have a functional squid server.

The requirements for squid are :
- it should listen on port 3128
- it should only allow requests from localhost

/etc/squid/squid.conf :
http_port 3128
acl localhost src 127.0.0.0/255.0.0.0
http_access allow localhost
http_access deny all

Install DansGuardian with the antivirus plugin from SecurityTeam.us repo :

Install the SecurityTeamUS repo :
rpm -ihv http://repo.securityteam.us/repository/redhat/securityteamus-repo-latest.rpm

Install DansGuardian-av and its dependencies (included on SecurityTeamUS) :

yum install dansguardian-av

Output :
Setting up Install Process
Setting up repositories
SecurityTeamUS 100% |=========================| 951 B 00:00
Reading repository metadata in from local files
primary.xml.gz 100% |=========================| 30 kB 00:00
SecurityTe: ################################################## 68/68
Added 68 new packages, deleted 0 old in 0.88 seconds
Parsing package install arguments
Resolving Dependencies
--> Populating transaction set with selected packages. Please wait.
---> Downloading header for dansguardian-av to pack into transaction set.
dansguardian-av-2.8.0.6-1 100% |=========================| 24 kB 00:00
---> Package dansguardian-av.i386 0:2.8.0.6-1 set to be updated
--> Running transaction check
--> Processing Dependency: libclamav.so.1 for package: dansguardian-av
--> Processing Dependency: clamd for package: dansguardian-av
--> Processing Dependency: libesmtp.so.5 for package: dansguardian-av
--> Processing Dependency: libesmtp for package: dansguardian-av
--> Processing Dependency: clamav for package: dansguardian-av
--> Restarting Dependency Resolution with new changes.
--> Populating transaction set with selected packages. Please wait.
---> Downloading header for libesmtp to pack into transaction set.
libesmtp-0.8.12-1.i386.rp 100% |=========================| 4.9 kB 00:00
---> Package libesmtp.i386 0:0.8.12-1 set to be updated
---> Downloading header for clamd to pack into transaction set.
clamd-0.88.7-1.i386.rpm 100% |=========================| 4.7 kB 00:00
---> Package clamd.i386 0:0.88.7-1 set to be updated
---> Downloading header for clamav to pack into transaction set.
clamav-0.88.7-1.i386.rpm 100% |=========================| 7.4 kB 00:00
---> Package clamav.i386 0:0.88.7-1 set to be updated
--> Running transaction check
--> Processing Dependency: clamav-db = 0.88.7-1 for package: clamav
--> Restarting Dependency Resolution with new changes.
--> Populating transaction set with selected packages. Please wait.
---> Downloading header for clamav-db to pack into transaction set.
clamav-db-0.88.7-1.i386.r 100% |=========================| 2.6 kB 00:00
---> Package clamav-db.i386 0:0.88.7-1 set to be updated
--> Running transaction check
.
Dependencies Resolved
.
=============================================================================
Package Arch Version Repository Size
=============================================================================
Installing:
dansguardian-av i386 2.8.0.6-1 SecurityTeamUS 309 k
Installing for dependencies:
clamav i386 0.88.7-1 SecurityTeamUS 944 k
clamav-db i386 0.88.7-1 SecurityTeamUS 7.3 M
clamd i386 0.88.7-1 SecurityTeamUS 64 k
libesmtp i386 0.8.12-1 SecurityTeamUS 176 k
.
Transaction Summary
=============================================================================
Install 5 Package(s)
Update 0 Package(s)
Remove 0 Package(s)
Total download size: 8.8 M
Is this ok [y/N]: y
.
Start ClamAV daemon :
service clamd start

By default, clamd should listen on 127.0.0.1:3310

Set up DansGuardian-av this way :
reportinglevel = 3
languagedir = '/etc/dansguardian/languages'
language = 'ukenglish'
loglevel = 3
logexceptionhits = on
logfileformat = 1
loglocation = '/var/log/dansguardian/access.log'
filterip =
filterport = 8080
proxyip = 127.0.0.1
proxyport = 3128
nonstandarddelimiter = on
usecustombannedimage = 1
custombannedimagefile = '/etc/dansguardian/transparent1x1.gif'
filtergroups = 1
filtergroupslist = '/etc/dansguardian/filtergroupslist'
bannediplist = '/etc/dansguardian/bannediplist'
exceptioniplist = '/etc/dansguardian/exceptioniplist'
banneduserlist = '/etc/dansguardian/banneduserlist'
exceptionuserlist = '/etc/dansguardian/exceptionuserlist'
showweightedfound = on
weightedphrasemode = 0
urlcachenumber = 3000
urlcacheage = 900
phrasefiltermode = 2
preservecase = 0
hexdecodecontent = 0
forcequicksearch = 0
reverseaddresslookups = off
reverseclientiplookups = off
createlistcachefiles = on
maxuploadsize = -1
maxcontentfiltersize = 256
usernameidmethodproxyauth = on
usernameidmethodident = off
preemptivebanning = on
forwardedfor = off
usexforwardedfor = off
logconnectionhandlingerrors = on
maxchildren = 120
minchildren = 8
minsparechildren = 4
preforkchildren = 6
maxsparechildren = 32
maxagechildren = 500
ipcfilename = '/tmp/.dguardianipc'
urlipcfilename = '/tmp/.dguardianurlipc'
pidfilename = '/var/run/dansguardian.pid'
nodaemon = off
nologger = off
daemonuser = 'nobody'
daemongroup = 'nobody'
softrestart = off
virusscan = on
virusengine = 'clamav'
tricklelength = 32768
forkscanlength = 32768
firsttrickledelay = 10
followingtrickledelay = 10
maxcontentscansize = 41904304
virusscanexceptions = on
urlcachecleanonly = on
virusscannertimeout = 60
notify = 2 # will notify the admin only
emaildomain = 'domain.be'
postmaster = 'admin@domain.be'
emailserver = '127.0.0.1:25'
downloaddir = '/tmp/dgvirus'
clmaxfiles = 1500
clmaxreclevel = 3
clmaxfilesize = 10485760
clblockencryptedarchives = off
cldetectbroken = off
clamdsocket = '127.0.0.1:3310'

This is my configuration, please review it to match your needs

Make sure dansguardian will start at boot :
chkconfig dansguardian on

Start DansGuardian :
service dansguardian start

Now, you can set up your browser preference to use the antivirus web proxy (IP:8080)

If you want to set dansguardian as a transparent proxy :
1. Edit /etc/squid/squid.conf and add :
httpd_accel_host virtual
httpd_accel_port 80
httpd_accel_with_proxy on
httpd_accel_uses_host_header on

2. Type this at the command prompt (where your local subnet is 10.0.0.0/24 and your LAN interface is eth0) :
iptables -t nat -A PREROUTING -i eth0 -s 10.0.0.0/24 -p tcp --dport 80 -j REDIRECT --to-port 8080

3. Save your iptables configuration, type :
iptables-save > /etc/sysconfig/iptables

Squid logs can be tailed here :
tail -f /var/log/squid/access.log

DansGuardian logs can be tailed here :
tail -f /var/log/dansguardian/access.log

Squid 2.5 and earlier :

Edit /etc/squid/squid.conf and add this :

httpd_accel_host virtual
httpd_accel_port 80
httpd_accel_with_proxy on
httpd_accel_uses_host_header on

To enable the transparent proxying, type this :

iptables -t nat -A PREROUTING -i eth0 -s 192.168.1.0/24 -p tcp --dport 80 -j REDIRECT --to-port 3128

“-s 192.168.1.0/24″ is optional but needed if you run a webserver on the squid machine. The web visitor request would be piped in squid without it.

Squid 2.6 and later :

http://www.wains.be/index.php/2007/10/27/squid-26-transparent-proxy/

See below how to enable queries logging..

Add this to /etc/squid/squid.conf

strip_query_terms off

As a result, you’d get this in the logs :
1166463218.353 1285 192.168.1.10 TCP_MISS/200 6429 GET http://www.google.com/search?hl=en&q=s%C3%A9bastien+wains&btnG=Google+Search - DIRECT/64.233.161.104 text/html

Instead of this :

1166463218.353 1285 192.168.1.10 TCP_MISS/200 6429 GET http://www.google.com - DIRECT/64.233.161.104 text/html

This is my iptables config stored under /etc/sysconfig/iptables :
(eth0 = WAN interface, eth1 = LAN interface)

You’ll notice 192.168.1.16 is allowed to connect to any services

You’ll also notice that the default stance for output traffic is ACCEPT.
You can of course set it to DROP and only accept what you specifically define.

*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]

# Basic protections against syn floods and other stuff
-A FORWARD -p tcp --syn -m limit --limit 1/s -j ACCEPT
-A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j ACCEPT
-A FORWARD -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT

# Block MSN
-I FORWARD -s 192.168.1.0/24 -p tcp -m tcp --dport 1863 -j DROP
-I FORWARD -s 192.168.1.0/24 -p tcp -m tcp --dport 1863 -j LOG --log-prefix "MESSENGER MSN > "
-I FORWARD -s 192.168.1.16 -p tcp -m tcp --dport 1863 -j ACCEPT

# Block AIM/ICQ
-I FORWARD -s 192.168.1.0/24 -d 64.12.25.0/22 -j DROP
-I FORWARD -s 192.168.1.0/24 -d 64.12.25.0/22 -j LOG --log-prefix "MESSENGER ICQ/AIM > "
-I FORWARD -s 192.168.1.16 -d 64.12.25.0/22 -j ACCEPT

# Block Yahoo IM
-I FORWARD -s 192.168.1.0/24 -d 216.155.193.0/22 -j DROP
-I FORWARD -s 192.168.1.0/24 -d 216.155.193.0/22 -j LOG --log-prefix "MESSENGER YIM > "
-I FORWARD -s 192.168.1.16 -d 216.155.193.0/22 -j ACCEPT

# Allowing anything else
-A FORWARD -i eth1 -o eth0 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
-A FORWARD -i eth0 -o eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT

As soon as the MSN client is not able to connect to the server on port tcp 1863, it’ll try to connect using port tcp 80, which is probably allowed :

Web activity upon connection :
1.10 gateway.messenger.hotmail.com/gateway/gateway.dll?Action=open&Server=NS&IP=messenger.hotmail.com
1.10 207.46.25.15/gateway/gateway.dll?SessionID=1047611159.2422
1.10 207.46.25.15/gateway/gateway.dll?SessionID=1047611159.1885
1.10 207.46.25.15/gateway/gateway.dll?Action=poll&SessionID=1047611159.24447
1.10 207.46.25.15/gateway/gateway.dll?SessionID=1047611159.7573

2. More firewall rules or Squid web proxy

Now you have two choices :

- making an ACL blocking the microsoft IP ranges… if new ranges are made available, MSN clients would be able to connect again.. this is not an ideal stance, unless you enjoy tracking the IP of MSN servers.

- blocking Internet Explorer (and MSN which uses the Internet Explorer engine) in your web proxy : you’ll need to run a transparent web proxy (Squid does the job pretty well) to block Internet Explorer, so MSN won’t be able to connect to port 80… See here for a short howto

Of course, you’d need something like Firefox installed on your client PC’s if you decide to block IE… you can always make an ACL in Squid allowing safe websites under Internet Explorer… This is not a bad stance as IE is known to have many unfixed security flaws.

Edit june 2007 : I'm blocking the Internet Explorer User Agent which apparently blocks the MSN client as well, but I noticed this page mentions the user agent for MSN is "MSMSGS". Please let me know if the described solution does not work for you.

I’ve not put much efforts into blocking AIM/ICQ/YIM since 99 % of people use MSN in Belgium
The MSN blocking is working well for me, I’m not sure about the other IM’s (the IP ranges can change from times to times)

3. Additional notes

It is reported at many places that the following squid rules are working.. I have tried them and they do NOT work for me.. If they do for you, let me know
acl mi_intranet src 192.168.1.0/255.255.255.0
acl msn req_mime_type -i ^application/x-msn-messenger
http_access deny mi_intranet msn
http_access allow mi_intranet

This is a working Squid ACL blocking a bunch of web messenger :
http://.*e-messenger.net/.*

http://chatenabled.mail.google.com/.*

OK, let’s calm down, this needs a bit of explanation before proceeding.

ISP’s usually block port 25 :
Unlike many ISP’s, mine doesn’t ! They still allow customers to send emails directly through and to any SMTP servers (tcp/25).

The goal in blocking port 25 is to block viruses from spreading around by sending emails using their own SMTP daemon.
At work, by just reading our email server logs, I know which ISP’s aren’t blocking port TCP/25 (damn Wanadoo and Road Runner).

If your ISP blocks port TCP/25, you need to send emails through their own (usually overwhelmed) SMTP server.

Worst case scenario :
Let’s say someone breaks into my wireless network with a linux laptop (pretty unlikely with WPA2 security but who knows ), the attacker would be able to send as much spam as one would like using a local sendmail or postfix server.

To fill that breach, we need to block port tcp/25 for wireless clients.

The iptables answer :

Basically my linux gateway does this :

eth0 --- WAN
eth1 --- LAN (192.168.1.0/24)
eth2 --- WLAN (192.168.2.0/24)

Iptables default filter stance :
INPUT DROP
FORWARD DROP
OUTPUT ACCEPT

The rules to add to the gateway (must come first before any other FORWARD rule) :
iptables -A FORWARD -i eth2 -o eth0 -p tcp -m tcp --destination-port 25 -j DROP
iptables -A FORWARD -i eth0 -o eth2 -p tcp -m tcp --source-port 25 -j DROP

If you want to still allow access to a specific server (your ISP ?), you’d just need to do this :
iptables -A FORWARD -i eth2 -o eth0 -p tcp -m tcp -d ! ALLOWED_IP --destination-port 25 -j DROP
iptables -A FORWARD -i eth0 -o eth2 -p tcp -m tcp -s ! ALLOWED_IP --source-port 25 -j DROP

Personally, I filter MAC addresses and only allow one IP for wifi under iptables :
-A FORWARD -i eth2 -o eth0 -p tcp -m tcp --destination-port 25 -j DROP
-A FORWARD -i eth0 -o eth2 -p tcp -m tcp --source-port 25 -j DROP
-A FORWARD -i eth2 -o eth0 -s 192.168.2.xx -m mac --mac-source 00:02:2D:xx:xx:xx -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
-A FORWARD -i eth2 -o eth0 -s 192.168.2.xx -m mac --mac-source 00:06:25:xx:xx:xx -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
-A FORWARD -i eth0 -o eth2 -d 192.168.2.xx -m state --state ESTABLISHED,RELATED -j ACCEPT

For MAC filtering to be really useful, you should run arpwatch along which would send you an alert if the system finds out weird activity going on with MAC addresses : http://ee.lbl.gov/

As a security measure, you would also prohibit access to the linux gateway SMTP server (and trying to set it up properly as well) :
iptables -A INPUT -i eth2 -p tcp -m tcp --dport 25 -j DROP

Blocking port 25 data forward under a wired business network could be useful, it could block potential viruses on client machines (who said PC’s running Windows ?) from sending emails out, you can even log the illegal activity on port 25 so you can detect any virus presence on the network.

To enable activity logging, use this ruleset :
-A FORWARD -i eth2 -o eth0 -p tcp -m tcp --destination-port 25 -j DROP
-A FORWARD -i eth0 -o eth2 -p tcp -m tcp --source-port 25 -j LOG --log-prefix "Illegal port 25 > "
-A FORWARD -i eth0 -o eth2 -p tcp -m tcp --source-port 25 -j DROP

Log output :
May 11 11:29:51 localhost kernel: Illegal port 25 > IN=eth2 OUT=eth0 SRC=192.168.2.xx DST=195.238.5.128 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=29159 DF PROTO=TCP SPT=53827 DPT=25 WINDOW=5840 RES=0x00 SYN URGP=0
May 11 11:30:10 localhost kernel: Illegal port 25 > IN=eth2 OUT=eth0 SRC=192.168.2.xx DST=195.238.5.128 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=41524 DF PROTO=TCP SPT=53829 DPT=25 WINDOW=5840 RES=0x00 SYN URGP=0
May 11 11:30:13 localhost kernel: Illegal port 25 > IN=eth2 OUT=eth0 SRC=192.168.2.xx DST=195.238.5.128 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=41526 DF PROTO=TCP SPT=53829 DPT=25 WINDOW=5840 RES=0x00 SYN URGP=0

If you want to generate a daily report of port 25 (ab)use, this is a quick bash script :

#!/bin/sh
DATE="$(date --date "1 day ago" +"%b %e")"
echo "Illegal traffic accross the network"
echo "Date : $DATE"
echo "==========================================="
echo " "
echo "Port 25 (virus, local smtp server,...)"
/bin/cat /var/log/messages | grep "Illegal port 25" | grep "${DATE}" | \
awk '{print $1" "$2" "$3" > "$12" - "$13}'
echo " "

The report looks like this :

Illegal traffic accross the network
Date : May 11
===========================================

Port 25 (virus, local smtp server,...)
May 11 11:29:51 > SRC=192.168.254.xx - DST=195.238.5.128
May 11 11:30:10 > SRC=192.168.254.xx - DST=195.238.5.128
May 11 11:30:13 > SRC=192.168.254.xx - DST=195.238.5.128

As a security measure, please consider switching your wireless network to WPA or WPA2.
Indeed, it is so easy to crack a WEP network and circumvent MAC filters and absence of a DHCP server.

Setting up a transparent web proxy can also help finding out weird activity coming from computers on the network. Some viruses attempt to download stuff from the web at specific time of the day. That’s how I noticed one computer on a network was always trying to access some weird site, every night at 3am.

For that matter, I recommend using Squid + DansGuardian + ClamAV :
http://www.wains.be/index.php/2006/12/18/transparent-squid/
http://www.wains.be/index.php/2006/12/19/centosrhelfedora-web-proxy-antivirus-clamav/

I hope you’ll find this guide useful.

Installation & compilation

Grab the latest version of Frox at http://frox.sourceforge.net/
Compile the package the usual way..

The following files should be installed :

/etc/frox.conf
/usr/local/sbin/frox
/var/log/frox/frox-log
/var/run/frox.pid

/etc/frox.conf :
Listen 192.168.0.1
Port 2121
BindToDevice eth1 < -- depends on your config, should be the LAN NIC
ResolvLoadHack wontresolve.doesntexist.abc
User nobody
Group nobody
WorkingDir /usr/local/bin
DontChroot Yes
LogLevel 20
LogFile /var/log/frox/frox-log
XferLogging yes
PidFile /var/run/frox.pid
BounceDefend yes
PassivePorts 49152-65534
MaxForks 10
MaxForksPerHost 4
### Allow rules first, deny rules next
ACL Allow 192.168.0.2/255.255.255.255 - * 21 <-- this will allow 192.168.0.2 to access ANY FTP server (internal AND external)
ACL Allow 192.168.0.3/255.255.255.255 - 193.190.198.20 21 <-- this will allow 192.168.0.3 to access ftp.belnet.be server
ACL Allow 192.168.0.4/255.255.255.255 - 192.168.0.1 21 <-- this will allow 192.168.0.4 to access the internal server
ACL Deny 192.168.254.0/255.255.255.0 - * 21 <-- this will block anything else from the subdomain

Redhat/Fedora/CentOS init script

I made a pretty short init script to start frox as a service on RedHat based machines

Save the following script under /etc/init.d/frox :
### /etc/init.d/frox ###
#!/bin/bash
#
# Init file for frox (transparent ftp proxy)
#
# chkconfig: 345 96 50
# description: frox
FROX_BIN=/usr/local/sbin/frox
FROX_CONF=/etc/frox.conf
FROX_LOG=/var/log/frox/frox-log
FROX_PID=/var/run/frox.pid
case "$1" in
'start')
echo "Starting Frox...";
$FROX_BIN -f $FROX_CONF
;;
'stop')
echo "Stopping Frox...";
if [ -f $FROX_PID ]; then
kill `cat $FROX_PID`
rm $FROX_PID
else
echo "Frox not running";
fi
;;
'help')
echo "Usage: $0 { start | stop }"
exit 1
;;
esac
exit 0
### EOF ###

Type :
chkconfig --add /etc/init.d/frox
service frox start

Frox should start

Iptables configuration

Add the following line to /etc/sysconfig/iptables under NAT section
Anyone under 192.168.0.0/24 trying to access port 21 will be transparently redirected to frox, which will allow or deny the connection
-A PREROUTING -s 192.168.0.0/24 -p tcp -m tcp --dport 21 -j REDIRECT --to-ports 2121

Type : service iptables restart

Test your configuration

Telnet into your frox server and check out the logs using :
tail -f /var/log/frox/frox-log

If you want to lock down iptables, you'll run into problems : see http://www.wains.be/?p=81