[squid-users] FTP : Squid sending private IP in PASV response

Gael Ancelin gaela at ace-service.fr
Fri Oct 21 08:27:21 UTC 2016 

Hello,

Thanks for your interest. 


As resquested, here is my FTP related configuration :

acl FTP proto FTP
http_access allow FTP
always_direct allow FTP
ftp_port 21 accel defaultsite=<real_server_ftp> protocol=FTP


------- On Squid itself ------
ftp> open 127.0.0.1
Connected to 127.0.0.1 (127.0.0.1).
220 Service ready
Name (127.0.0.1:<local_user>): <ftp_user>
---> USER <ftp_user>
331 Please specify the password.
Password:
---> PASS XXXX
230 Login successful.
---> SYST
215 UNIX Type: L8
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> pwd
---> PWD
257 "/"
ftp> ls
---> PASV
227 Entering Passive Mode (127,0,0,1,158,0).
---> LIST
150 Here comes the directory listing.
[...]
226 Transfer complete


------- From anywhere (including Squid itself ------
ftp> open <dns name of the squid machine>
Connected to <dns name of the squid machine> (54.xx.xx.xx).
220 Service ready
Name (<dns name of the squid machine>:<local_user>): <ftp_user>
---> USER <ftp_user>
331 Please specify the password.
Password:
---> PASS XXXX
230 Login successful.
---> SYST
215 UNIX Type: L8
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> pwd
---> PWD
257 "/"
ftp> cd scripts
---> CWD scripts
250 Directory successfully changed.
ftp> ls
---> PASV
227 Entering Passive Mode (172,31,xx,xx,213,249).



WAN_IP---[FW]-------localIP1-[SQUID]-localIP2------------localIP3-[FTP_Server]

I was expecting something like "227 Entering Passive Mode (54,xx,xx,xx,213,249)." 
with public ip.
What I want is a response like (WAN_IP,port), but what I obtain is 
(localIP1,port) instead.

Squid does not respond with the FTP server address, so I presume that Squid is
understanding enough FTP protocol to modify response and put his own ip address
instead of the real FTP server's.
So I'm wondering if it exists a way to force squid to respond with a fixed IP 
address instead of his own local address.




-----Message d'origine-----
De : squid-users [mailto:squid-users-bounces at lists.squid-cache.org] De la part de Garri Djavadyan
Envoyé : vendredi 21 octobre 2016 07:15
À : squid-users at lists.squid-cache.org
Objet : Re: [squid-users] FTP : Squid sending private IP in PASV response

On Thu, 2016-10-20 at 14:07 +0000, Gael Ancelin wrote:
> Hello,
>  
> I have searched in maillist archives but have not seen so far someone 
> with the same problem.
>  
> My Squid's objective is to foward FTP & HTTP requests to a distant 
> server.
>  
> Squid is running on CentOS 7.2.
> uname -r : 3.10.0-327.28.3.el7.x86_64
> squid -v : Version 3.5.20
>  
>  
> I don't have the choice to use anything but Squid, and I can't use 
> firewalling rules for forwarding directly ports.
>  
>  
> WAN_1stPublic_IP ----------------------------[FIREWALL_1] --- 
> --[FTP_SERVER]
>  
> WAN_2ndPublic_IP ---[FIREWALL_2]--[SQUID]-----[VPN]-----[FTP_SERVER]
>  
>  
> Here's my problem :
> When I'm connecting in FTP on the 2nd Public IP, everything is ok, but 
> when I want to switch to passive mode, Squid is sending his own 
> private ip instead of the 2nd public IP. So the connexion timed out.
>  
>  
> ftp> open <WAN 2ndPublic IP>
> Connected to <WAN 2ndPublic IP> (<WAN 2ndPublic IP>).
> 220 Service ready
> Name (<WAN 2ndPublic IP>:<user>): <login>
> ---> USER <login>
> 331 Please specify the password.
> Password:
> ---> PASS XXXX
> 230 Login successful.
> ---> SYST
> 215 UNIX Type: L8
> Remote system type is UNIX.
> Using binary mode to transfer files.
> ftp> pwd
> ---> PWD
> 257 "/"
> ftp> ls
> ---> PASV
> 227 Entering Passive Mode (<SQUID Private IP>,<port>).
> ftp: connect: Connexion terminée par expiration du délai d'attente
>  
>  
> Is there a way to "force" Squid to resend his public IP ?
> I'm thinking of something like "pasv_address" option in vsftpd, but 
> for squid.
>  
> Gaël Ancelin

Hi,

Can you provide the configuration options related to FTP?
I can't reproduce the problem using following method:

# diff etc/squid.conf.default etc/squid.conf
73a74,75
> 
> ftp_port 21

---

$ ftp 127.0.0.1
Connected to 127.0.0.1.
220 Service ready
Name (127.0.0.1:user): anonymous at mirror.yandex.ru
530 Must login first
530 Must login first
SSL not available
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> passive
Passive mode on.
ftp> ls
227 Entering Passive Mode (127,0,0,1,229,181).
150 Here comes the directory listing.
drwxr-xr-x   19 ftp      ftp          4096 Oct 21 05:00 altlinux ...
drwxr-xr-x   11 ftp      ftp          4096 Oct 21 03:16 ubuntu-releases
226 Transfer complete

---

The example showed that Squid returned the IP address of the interface facing the client, not the IP address of my interface facing the origin.

Garri
_______________________________________________
squid-users mailing list
squid-users at lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

More information about the squid-users mailing list