home *** CD-ROM | disk | FTP | other *** search
- tcpproxy - generic TCP proxy server ttccpppprrooxxyy [_o_p_t_i_o_n_s] [_s_e_r_v_e_r]
- is a generic TCP proxy server. It connects a client and a server
- and forwards any data from the client to the server and vice ver-
- sa. _t_c_p_p_r_o_x_y doesn't care about the data being transported. If
- _s_e_r_v_e_r begins with a `/' or `.' it's taken as a pathname to a
- program that acts as a request handler for incoming connections.
- Otherwise _s_e_r_v_e_r is interpreted as _h_o_s_t[:_p_o_r_t] and the client re-
- quest is forwarded to the given _h_o_s_t and _p_o_r_t. If in this case
- _p_o_r_t is omitted _t_c_p_p_r_o_x_y uses it's own server port as destination
- port on _h_o_s_t. If _t_c_p_p_r_o_x_y has to start a local program it set
- the environment variables PPRROOXXYY__PPOORRTT, PPRROOXXYY__IINNTTEERRFFAACCEE,
- PPRROOXXYY__CCLLIIEENNTT and PPRROOXXYY__CCLLIIEENNTTNNAAMMEE with the data of the current
- connection. The `PROXY_' prefix might be changed with the com-
- mand line option --vv or the sseetteennvv configuration directive. can
- be either started from or act as a standalone server listening an
- several ports. If the _s_e_r_v_e_r argument is missing _t_c_p_p_r_o_x_y reads
- it's configuration file _/_e_t_c_/_t_c_p_p_r_o_x_y_._c_o_n_f and either forwards
- the current connection or binds to the specified ports waiting
- for client requests. The following directives define the global
- configuration. ssttaannddaalloonnee [yyeess|nnoo] if set to `yes' the server
- binds to the defined ports waiting for requests. This is the de-
- fault if a configuration file is used. The uuiidd and ggiidd settings
- are only used if the user starting _t_c_p_p_r_o_x_y is rroooott, otherwise
- they are ignored. If however the calling user is rroooott and no
- settngs are found _t_c_p_p_r_o_x_y uses it's internal default of -1 and
- -2 for the user and group id. _t_c_p_p_r_o_x_y won't run as root. The
- following directives control the available services and how they
- are served. ppoorrtt _p_o_r_t_-_n_u_m_b_e_r defines a new port where _t_c_p_p_r_o_x_y
- should accept client requests. iinntteerrffaaccee _i_p_-_n_u_m_b_e_r defines an
- interface on which connections on the service port from the last
- ppoorrtt directive are handled. sseerrvveerr _s_e_r_v_e_r[:_p_o_r_t] defines the
- server and port where _t_c_p_p_r_o_x_y will forward an incoming connec-
- tion to. If _p_o_r_t is ommited the listening _t_c_p_p_r_o_x_y port is used.
- uuiidd _n_u_m_e_r_i_c_-_u_i_d defines the numeric user id to which _t_c_p_p_r_o_x_y
- changes after accepting a requests. ggiidd _n_u_m_e_r_i_c_-_g_i_d same as uuiidd
- but for the group id. eexxeecc _c_o_m_m_a_n_d defines a local command which
- is executed to handle a request. aaccpp _p_r_o_g_r_a_m sets the access
- control program that is used to grant or deny incoming connec-
- tions. llooggnnaammee _n_a_m_e sets a different syslog name. sseetteennvv
- _v_a_r_p_r_e_f_i_x defines the variable prefix. ttiimmeeoouutt _t_i_m_e_o_u_t defines a
- different timeout in seconds than the default of 60. wwrriitteeffiillee
- _f_i_l_e_n_a_m_e defines the basename for files where the server/client
- communication is written. For a service configuration either
- sseerrvveerr or eexxeecc must be specified. The _t_i_m_e_o_u_t value is only used
- in conjunction with a _s_e_r_v_e_r configuration and _v_a_r_p_r_e_f_i_x only if
- requests are handled by a local program. ttiimmeeoouutt, sseetteennvv amd aaccpp
- define configuration defaults if they appear before the first
- ppoorrtt directive. In version 1.1.5 the way user and group id's are
- handled changed. From version 1.1.5 these ids are changed after
- accepting a request and not after binding to all ports before ac-
- cepting anything. This is however only done if _t_c_p_p_r_o_x_y's user
- id is 0, otherwise _t_c_p_p_r_o_x_y keeps it's current ids. The ids
- which are used for a service request are written to syslog. The
- default values for uid/gid are 65535/65534 which is equal to
- -1/-2. If for a port configuration an access control program is
- set this program is executed before forwarding the request. The
- acp can then decide if it grants (exit status 0) or denies (exit
- status not 0) the access. The acp can additionaly print a diag-
- nostic message to the requesting client through it's standard
- output and to the _t_c_p_p_r_o_x_y through it's standard error. The
- PPRROOXXYY__ variables are set for the current connection when the acp
- is called. The following options are available: --aa _p_r_o_g_r_a_m sets
- _p_r_o_g_r_a_m as access control program. --bb [_i_n_t_e_r_f_a_c_e:]_p_o_r_t tells
- _t_c_p_p_r_o_x_y that it should bind to _p_o_r_t on the given _i_n_t_e_r_f_a_c_e. If
- _i_n_t_e_r_f_a_c_e is omitted _t_c_p_p_r_o_x_y will bind to all available inter-
- faces. --bb implies --ss. --ff _c_o_n_f_i_g sets a different configuration
- file than _/_e_t_c_/_t_c_p_p_r_o_x_y_._c_o_n_f. --ll _l_o_g_n_a_m_e sets the name under
- which _t_c_p_p_r_o_x_y writes to syslog. --pp creates the pidfile
- _/_v_a_r_/_r_u_n_/_t_c_p_p_r_o_x_y_._p_i_d. This default name can be changed by giv-
- ing the --pp option twice followed by the name of the pidfile. --ss
- sets standalone (bind to ports and listen) mode. --tt _t_i_m_e_o_u_t de-
- fines a different _t_i_m_e_o_u_t in seconds than the default of 60 sec-
- onds for each connection. --vv _v_a_r_p_r_e_f_i_x specifies a different
- variable prefix than `PROXY_' for the request handler variables.
- --ww _w_r_i_t_e_f_i_l_e specifies that the client/server communication is
- written to the file _w_r_i_t_e_f_i_l_e.pid.log. --yy clears the whole envi-
- ronment before starting the request handler. lists the config-
- ured server ports and exits. This is useful if you want to shut-
- down the tcpproxy services with either _f_u_s_e_r(1) or _n_e_t_u_s_e_r(1).
- Giving --zz twice lists the basic configuration data. In case that
- the --bb option is found on the command line the _s_e_r_v_e_r argument is
- expected. The following examples assume that _t_c_p_p_r_o_x_y is in-
- stalled on a machine with two network interface cards. One is
- the external interface with the IP number 192.44.100.7 and the
- other is the internal one with IP numbers 192.168.1.1 and
- 192.168.1.2 (virtual interfaces).
-
- #
- # /etc/tcpproxy.conf - sample configuration
- #
-
- #
- # Define SMTP proxys ...
- #
- port 25
-
- # ... for outgoing ...
- #
- interface 192.168.1.1
- server mailrelay.provider.com
-
- # ... and incoming email.
- #
- interface 192.44.100.7
- server mail.domain.com
-
- #
- # There are also NNTP-Servers on the outside
- #
- port 119
-
- interface 192.168.1.1
- server nntp.provider.com
-
- interface 192.168.2.1
- server nntp.other-provider.com
-
- #
- # Users from the outside can access our internal
- # POP3 server ...
- #
- port 110
-
- interface 192.44.100.7
-
- # ... but only trough a real application gateway.
- #
- exec /usr/local/sbin/pop3.proxy mail.domain.com
-
- With this configuration file _t_c_p_p_r_o_x_y might be started with
-
- tcpproxy -s
-
- to make tcpproxy bind itself to all the listed interfaces. An-
- other way of serving requests is to configure the ports in
- _/_e_t_c_/_i_n_e_t_d_._c_o_n_f and start _t_c_p_p_r_o_x_y without the --ss option from
- there. The proxy will then inspect it's configuration file to
- see how the connection made by _i_n_e_t_d should be handled. tcpproxy
- -b 192.44.100.7:79 /bin/date opens a date server on the external
- interface. This service won't be available on the interfaces
- numbered 192.168.1.1 and .2 but the service is still accessable
- from the internal network:
-
- user@192.168.1.10/~ > telnet 192.44.100.7 79
- <current date goes here>
-
- If in inetd mode you want to provide a service only on one net-
- work card you'll have to implement further access control with
- packet filters. _t_c_p_p_r_o_x_y doesn't forward the FTP protocol; use
- _f_t_p_._p_r_o_x_y for this. It doesn't work with UDP protocols too, TCP
- uses connection and UDP not - this is an imortant difference.
- And furthermore _t_c_p_p_r_o_x_y doesn't protect you against network at-
- tacks like buffer overflows against the addressed server. You'll
- have to use application gateway level proxys for that.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-