Anyone? Is it a bug or something should be tuned? I've specified 'ftp_port 2121 intercept' and made squid intercept outgoing FTP traffic according to the following rules:
iptables -t nat -A OUTPUT -p tcp -m owner --gid-owner squid -j ACCEPT iptables -t nat -A OUTPUT -p tcp --dport 21 -j REDIRECT --to-port 2121 07.02.2017, 16:23, "Alex" <go...@yandex.ru>: > Hello. > > Recently I gave FTP relay a try and it seems that it doesn't work out of > the box :( > I've seen a topic regarding passive mode (when squid puts real server's IP > into 'Entering passive mode' message), however, I've solved this by writing a > kernel module with custom netfilter hooks (the module intercepts squid's > reply, gets IP and port and marks corresponding incoming connection, so it's > possible to write a REDIRECT rule). > I thought that active mode will cause less problems, but it seems that what > squid tries to do is illegal. As far as I understand, in active mode squid > tries to connect to a client and spoofs source IP address. But it simply does > not work: even if bind() succeeds after setting 'ip_nonlocal_bind' sysctl to > 1, the connect() call fails with EINVAL. According to > https://lkml.org/lkml/2001/6/7/17, such kernel's behaviour is legit and squid > tries to do something nasty. > > Here's the excerpt from squid's log (3.5.24 on CentOS 6.5 with 4.x kernel): > > 017/02/07 15:24:12.262| 5,3| ConnOpener.cc(289) createFd: local=172.17.10.30 > remote=172.17.11.31:56676 flags=9 will timeout in 60 > 2017/02/07 15:24:12.262| 5,9| comm.cc(602) comm_connect_addr: connecting > socket FD 16 to 172.17.11.31:56676 (want family: 2) > 2017/02/07 15:24:12.262| 5,5| comm.cc(644) comm_connect_addr: sock=16, > addrinfo( flags=4, family=2, socktype=1, protocol=6, &addr=0x1bffc00, > addrlen=16 ) > 2017/02/07 15:24:12.262| 5,9| comm.cc(645) comm_connect_addr: connect FD 16: > (-1) (22) Invalid argument > 2017/02/07 15:24:12.262| 14,9| comm.cc(646) comm_connect_addr: connecting to: > 172.17.11.31:56676 > 2017/02/07 15:24:12.262| 5,7| ConnOpener.cc(357) doConnect: > local=172.17.10.30 remote=172.17.11.31:56676 flags=9: failure #1 <= 0: (22) > Invalid argument > 2017/02/07 15:24:12.262| 5,5| ConnOpener.cc(365) doConnect: > local=172.17.10.30 remote=172.17.11.31:56676 flags=9: * - ERR tried too many > times already. > 2017/02/07 15:24:12.262| 17,3| AsyncCall.cc(93) ScheduleCall: > ConnOpener.cc(137) will call Ftp::Server::connectedForData(local=172.17.10.30 > remote=172.17.11.31:56676 flags=9, errno=22, flag=-8, data=0x17d6188) [call95] > > Any thoughts? > _______________________________________________ > squid-users mailing list > squid-users@lists.squid-cache.org > http://lists.squid-cache.org/listinfo/squid-users _______________________________________________ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
