[squid-users] Native FTP relay - connection closes when FTP data connection is used (?)

Alexander goal81 at gmail.com
Wed Jan 18 19:07:13 UTC 2017 

Hello, I have a question regarding a native FTP relay.

I have tried to test this feature like this:

[Filezilla Client, 1.1.1.2] <-----> [ Router: iptables + squid ]
<-----> [vsftpd server, 5.5.5.10]

Firewall settings on the router are:

ip route flush table 100
ip rule add fwmark 1 lookup 100
ip route add local 0.0.0.0/0 dev lo table 100

iptables -t mangle -N DIVERT
iptables -t mangle -A DIVERT -j MARK --set-mark 0x01/0x01
iptables -t mangle -A DIVERT -j ACCEPT
iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT
iptables -t mangle -A PREROUTING -p tcp --dport 21 -j TPROXY
--tproxy-mark 0x1/0x1 --on-port 2121
iptables -t mangle -A PREROUTING -p tcp --dport 80 -j TPROXY
--tproxy-mark 0x1/0x1 --on-port 3128

No other rules are defined, default policies in chains is ACCEPT.

Squid's configuration file is attached.

With HTTP traffic everything works fine, however FTP causes a problem.
A client successfully connects and authenticates, but when it tries to
execute LIST or RETR (when data connection should be established),
Filezilla says "Connection closed by server". In squid's log I have
noticed some errors when establishing data connection (?), like
"failed to connect FTP server data channel". The log is also attached.

What can be wrong with this setup?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20170118/cb529175/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: cache2.log
Type: application/octet-stream
Size: 43809 bytes
Desc: not available
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20170118/cb529175/attachment-0002.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: squid.conf
Type: application/octet-stream
Size: 1485 bytes
Desc: not available
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20170118/cb529175/attachment-0003.obj>

More information about the squid-users mailing list