[squid-users] FTP : Squid sending private IP in PASV response
Amos Jeffries
squid3 at treenet.co.nz
Sun Oct 23 12:32:26 UTC 2016
On 21/10/2016 10:02 p.m., Garri Djavadyan wrote:
> On Fri, 2016-10-21 at 08:27 +0000, Gael Ancelin wrote:
>> WAN_IP---[FW]-------localIP1-[SQUID]-localIP2------------localIP3-
>> [FTP_Server]
>>
>> I was expecting something like "227 Entering Passive Mode
>> (54,xx,xx,xx,213,249)."
>> with public ip.
>> What I want is a response like (WAN_IP,port), but what I obtain is
>> (localIP1,port) instead.
>>
>> Squid does not respond with the FTP server address, so I presume that
>> Squid is
>> understanding enough FTP protocol to modify response and put his own
>> ip address
>> instead of the real FTP server's.
>
> According to your scheme, FW is DNAT device and it forwards packets
> destined to FTP control channel port (21) on public IP of FW to private
> localIP1 of SQUID. In that scenario Squid don't even know that the
> client used WAN_IP to access FTP service and therefore it can't use the
> public IP even if it wish.
>
>
>> So I'm wondering if it exists a way to force squid to respond with a
>> fixed IP > address instead of his own local address.
>
> Here http://www.squid-cache.org/Doc/config/ you can find all available
> options.
'accel' mode is a thing very specific to HTTP port 80 and 443.
The closest thing Squid has for FTP is 'intercept'. I am assuming that
mode works
That brings us to the often repeated advice about NAT intercepted traffic:
Destination NAT *MUST NOT* be performed on traffic from the client
before it reaches the Squid machine.
When you correct the DNAT to be happening on the Squid machine instead
of the FW, use the 'intercept' option on the ftp_port instead of 'accel'.
(I have not tried it myself, but AFAIK that should work for this scenario)
Amos
More information about the squid-users
mailing list