TCPPROXY

Section: User Commands (1)
Updated: 20 March 2000
Index Return to Main Contents
 

NAME

tcpproxy - generic TCP proxy server  

SYNOPSIS

tcpproxy [options] [server]  

DESCRIPTION

tcpproxy is a generic TCP proxy server. It connects a client and a server and forwards any data from the client to the server and vice versa. tcpproxy doesn't care about the data being transported.

If server begins with a `/' or `.' it's taken as a pathname to a program that acts as a request handler for incoming connections. Otherwise server is interpreted as host[:port] and the client request is forwarded to the given host and port. If in this case port is omitted tcpproxy uses it's own server port as destination port on host.

If tcpproxy has to start a local program it set the environment variables PROXY_PORT, PROXY_INTERFACE, PROXY_CLIENT and PROXY_CLIENTNAME with the data of the current connection. The `PROXY_' prefix might be changed with the command line option -v or the setenv configuration directive.

tcpproxy can be either started from inetd(1) or act as a standalone server listening an several ports. If the server argument is missing tcpproxy reads it's configuration file /etc/tcpproxy.conf and either forwards the current connection or binds to the specified ports waiting for client requests.  

CONFIGURATION FILE

The following directives define the global configuration.
standalone [yes|no]
if set to `yes' the server binds to the defined ports waiting for requests. This is the default if a configuration file is used.

The uid and gid settings are only used if the user starting tcpproxy is root, otherwise they are ignored. If however the calling user is root and no settngs are found tcpproxy uses it's internal default of -1 and -2 for the user and group id. tcpproxy won't run as root.

The following directives control the available services and how they are served.

port port-number
defines a new port where tcpproxy should accept client requests.
interface ip-number
defines an interface on which connections on the service port from the last port directive are handled.
server server[:port]
defines the server and port where tcpproxy will forward an incoming connection to. If port is ommited the listening tcpproxy port is used.
uid numeric-uid
defines the numeric user id to which tcpproxy changes after accepting a requests.
gid numeric-gid
same as uid but for the group id.
exec command
defines a local command which is executed to handle a request.
acp program
sets the access control program that is used to grant or deny incoming connections.
logname name
sets a different syslog name.
setenv varprefix
defines the variable prefix.
timeout timeout
defines a different timeout in seconds than the default of 60.
writefile filename
defines the basename for files where the server/client communication is written.

For a service configuration either server or exec must be specified. The timeout value is only used in conjunction with a server configuration and varprefix only if requests are handled by a local program. timeout, setenv amd acp define configuration defaults if they appear before the first port directive.  

USER IDS

In version 1.1.5 the way user and group id's are handled changed. From version 1.1.5 these ids are changed after accepting a request and not after binding to all ports before accepting anything. This is however only done if tcpproxy's user id is 0, otherwise tcpproxy keeps it's current ids. The ids which are used for a service request are written to syslog. The default values for uid/gid are 65535/65534 which is equal to -1/-2.  

ACCESS CONTROL

If for a port configuration an access control program is set this program is executed before forwarding the request. The acp can then decide if it grants (exit status 0) or denies (exit status not 0) the access. The acp can additionaly print a diagnostic message to the requesting client through it's standard output and to the tcpproxy through it's standard error.

The PROXY_ variables are set for the current connection when the acp is called.  

OPTIONS

The following options are available:
-a program
sets program as access control program.
-b [interface:]port
tells tcpproxy that it should bind to port on the given interface. If interface is omitted tcpproxy will bind to all available interfaces. -b implies -s.
-f config
sets a different configuration file than /etc/tcpproxy.conf.
-l logname
sets the name under which tcpproxy writes to syslog.
-p
creates the pidfile /var/run/tcpproxy.pid. This default name can be changed by giving the -p option twice followed by the name of the pidfile.
-s
sets standalone (bind to ports and listen) mode.
-t timeout
defines a different timeout in seconds than the default of 60 seconds for each connection.
-v varprefix
specifies a different variable prefix than `PROXY_' for the request handler variables.
-w writefile
specifies that the client/server communication is written to the file writefile.pid.log.
-y
clears the whole environment before starting the request handler.
-z
lists the configured server ports and exits. This is useful if you want to shutdown the tcpproxy services with either fuser(1) or netuser(1). Giving -z twice lists the basic configuration data.

In case that the -b option is found on the command line the server argument is expected.  

EXAMPLES

The following examples assume that tcpproxy is installed on a machine with two network interface cards. One is the external interface with the IP number 192.44.100.7 and the other is the internal one with IP numbers 192.168.1.1 and 192.168.1.2 (virtual interfaces).


 #
 # /etc/tcpproxy.conf - sample configuration
 #
 
 #
 # Define SMTP proxys ...
 #
 port 25


   # ... for outgoing ...
   #
   interface 192.168.1.1
     server mailrelay.provider.com


   # ... and incoming email.
   #
   interface 192.44.100.7
     server mail.domain.com


 #
 # There are also NNTP-Servers on the outside
 #
 port 119


    interface 192.168.1.1
      server nntp.provider.com
     
    interface 192.168.2.1
      server nntp.other-provider.com


 #
 # Users from the outside can access our internal
 # POP3 server ...
 #
 port 110


   interface 192.44.100.7


   # ... but only trough a real application gateway.
   #
   exec /usr/local/sbin/pop3.proxy mail.domain.com

With this configuration file tcpproxy might be started with

tcpproxy -s

to make tcpproxy bind itself to all the listed interfaces. Another way of serving requests is to configure the ports in /etc/inetd.conf and start tcpproxy without the -s option from there. The proxy will then inspect it's configuration file to see how the connection made by inetd should be handled.

tcpproxy -b 192.44.100.7:79 /bin/date opens a date server on the external interface. This service won't be available on the interfaces numbered 192.168.1.1 and .2 but the service is still accessable from the internal network:


 user@192.168.1.10/~ > telnet 192.44.100.7 79
 <current date goes here>

If in inetd mode you want to provide a service only on one network card you'll have to implement further access control with packet filters.  

NOTES

tcpproxy doesn't forward the FTP protocol; use ftp.proxy for this. It doesn't work with UDP protocols too, TCP uses connection and UDP not - this is an imortant difference. And furthermore tcpproxy doesn't protect you against network attacks like buffer overflows against the addressed server. You'll have to use application gateway level proxys for that.  

SEE ALSO

inetd(1).

 

Index

NAME
SYNOPSIS
DESCRIPTION
CONFIGURATION FILE
USER IDS
ACCESS CONTROL
OPTIONS
EXAMPLES
NOTES
SEE ALSO
This document was created by man2html, using the manual pages.
Time: 01:51:11 GMT, July 11, 2022