[squid-users] FTP : Squid sending private IP in PASV response

Garri Djavadyan garryd at comnet.uz
Fri Oct 21 05:15:28 UTC 2016


On Thu, 2016-10-20 at 14:07 +0000, Gael Ancelin wrote:
> Hello,
>  
> I have searched in maillist archives but have not seen so far someone
> with the
> same problem.
>  
> My Squid's objective is to foward FTP & HTTP requests to a distant
> server.
>  
> Squid is running on CentOS 7.2.
> uname -r : 3.10.0-327.28.3.el7.x86_64
> squid -v : Version 3.5.20
>  
>  
> I don't have the choice to use anything but Squid, and I can't use
> firewalling
> rules for forwarding directly ports.
>  
>  
> WAN_1stPublic_IP ----------------------------[FIREWALL_1] ---
> --[FTP_SERVER]
>  
> WAN_2ndPublic_IP ---[FIREWALL_2]--[SQUID]-----[VPN]-----[FTP_SERVER]
>  
>  
> Here's my problem :
> When I'm connecting in FTP on the 2nd Public IP, everything is ok,
> but when I
> want to switch to passive mode, Squid is sending his own private ip
> instead of
> the 2nd public IP. So the connexion timed out.
>  
>  
> ftp> open <WAN 2ndPublic IP>
> Connected to <WAN 2ndPublic IP> (<WAN 2ndPublic IP>).
> 220 Service ready
> Name (<WAN 2ndPublic IP>:<user>): <login>
> ---> USER <login>
> 331 Please specify the password.
> Password:
> ---> PASS XXXX
> 230 Login successful.
> ---> SYST
> 215 UNIX Type: L8
> Remote system type is UNIX.
> Using binary mode to transfer files.
> ftp> pwd
> ---> PWD
> 257 "/"
> ftp> ls
> ---> PASV
> 227 Entering Passive Mode (<SQUID Private IP>,<port>).
> ftp: connect: Connexion terminée par expiration du délai d'attente
>  
>  
> Is there a way to "force" Squid to resend his public IP ?
> I'm thinking of something like "pasv_address" option in vsftpd, but
> for squid.
>  
> Gaël Ancelin

Hi,

Can you provide the configuration options related to FTP?
I can't reproduce the problem using following method:

# diff etc/squid.conf.default etc/squid.conf
73a74,75
> 
> ftp_port 21

---

$ ftp 127.0.0.1
Connected to 127.0.0.1.
220 Service ready
Name (127.0.0.1:user): anonymous at mirror.yandex.ru
530 Must login first
530 Must login first
SSL not available
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> passive
Passive mode on.
ftp> ls
227 Entering Passive Mode (127,0,0,1,229,181).
150 Here comes the directory listing.
drwxr-xr-x   19 ftp      ftp          4096 Oct 21 05:00 altlinux
...
drwxr-xr-x   11 ftp      ftp          4096 Oct 21 03:16 ubuntu-releases
226 Transfer complete

---

The example showed that Squid returned the IP address of the interface
facing the client, not the IP address of my interface facing the
origin.

Garri


More information about the squid-users mailing list