+subject: tcpproxy - generic TCP proxy server
TCPPROXY(1) TCPPROXY(1)
NAME
tcpproxy - generic TCP proxy server
SYNOPSIS
tcpproxy [options] [server]
DESCRIPTION
tcpproxy is a generic TCP proxy server. It connects a
client and a server and forwards any data from the client
to the server and vice versa. tcpproxy doesn't care about
the data being transported.
If server begins with a `/' or `.' it's taken as a path-
name to a program that acts as a request handler for
incoming connections. Otherwise server is interpreted as
host[:port] and the client request is forwarded to the
given host and port. If in this case port is omitted tcp-
proxy uses it's own server port as destination port on
host.
If tcpproxy has to start a local program it set the envi-
ronment variables PROXY_PORT, PROXY_INTERFACE,
PROXY_CLIENT and PROXY_CLIENTNAME with the data of the
current connection. The `PROXY_' prefix might be changed
with the command line option -v or the setenv configura-
tion directive.
tcpproxy can be either started from inetd(1) or act as a
standalone server listening an several ports. If the
server argument is missing tcpproxy reads it's configura-
tion file /etc/tcpproxy.conf and either forwards the cur-
rent connection or binds to the specified ports waiting
for client requests.
CONFIGURATION FILE
The following directives define the global configuration.
standalone [yes|no]
if set to `yes' the server binds to the defined
ports waiting for requests. This is the default if
a configuration file is used.
The uid and gid settings are only used if the user start-
ing tcpproxy is root, otherwise they are ignored. If how-
ever the calling user is root and no settngs are found
tcpproxy uses it's internal default of -1 and -2 for the
user and group id. tcpproxy will not run as root.
The following directives control the available services
and how they are served.
port port-number
defines a new port where tcpproxy should accept
client requests.
interface ip-number
defines an interface on which connections on the
service port from the last port directive are han-
dled.
rotate ip-start ip-end
defines a range of IP numbers that is used for the
connection to the server.
server server[:port]
defines the server and port where tcpproxy will
forward an incoming connection to. If port is
ommited the listening tcpproxy port is used.
uid numeric-uid
defines the numeric user id to which tcpproxy
changes after accepting a requests.
gid numeric-gid
same as uid but for the group id.
user username
instead of giving numeric ids for user and group
for a particular user it's name can be set
directly.
exec command
defines a local command which is executed to handle
a request.
acp program
sets the access control program that is used to
grant or deny incoming connections.
logname name
sets a different syslog name.
setenv varprefix
defines the variable prefix.
timeout timeout
defines a different timeout in seconds than the
default of 60.
writefile filename
defines the basename for files where the
server/client communication is written. debug is a
synonym for writefile but turns also tcpproxy's
debug option `-dfR' on.
For a service configuration either server or exec must be
specified. The timeout value is only used in conjunction
with a server configuration and varprefix only if requests
are handled by a local program. timeout, setenv amd acp
define configuration defaults if they appear before the
first port directive.
USER IDS
In version 1.1.5 the way user and group id's are handled
changed. From version 1.1.5 these ids are changed after
accepting a request and not after binding to all ports
before accepting anything. This is however only done if
tcpproxy's user id is 0, otherwise tcpproxy keeps it's
current ids. The ids which are used for a service request
are written to syslog. The default values for uid/gid are
65535/65534 which is equal to -1/-2.
ACCESS CONTROL
If for a port configuration an access control program is
set this program is executed before forwarding the
request. The acp can then decide if it grants (exit sta-
tus 0) or denies (exit status not 0) the access. The acp
can additionaly print a diagnostic message to the
requesting client through it's standard output and to the
tcpproxy through it's standard error.
The PROXY_ variables are set for the current connection
when the acp is called.
OPTIONS
The following options are available:
-a program
sets program as access control program.
-b [interface:]port
tells tcpproxy that it should bind to port on the
given interface. If interface is omitted tcpproxy
will bind to all available interfaces. -b implies
-s.
-f config
sets a different configuration file than /etc/tcp-
proxy.conf.
-l logname
sets the name under which tcpproxy writes to sys-
log.
-p creates the pidfile /var/run/tcpproxy.pid. This
default name can be changed by giving the -p option
twice followed by the name of the pidfile.
-s sets standalone (bind to ports and listen) mode.
-t timeout
defines a different timeout in seconds than the
default of 60 seconds for each connection.
-v varprefix
specifies a different variable prefix than `PROXY_'
for the request handler variables.
-w writefile
specifies that the client/server communication is
written to the file writefile.pid.log.
-y clears the whole environment before starting the
request handler.
-z lists the configured server ports and exits. This
is useful if you want to shutdown the tcpproxy ser-
vices with either fuser(1) or netuser(1). Giving
-z twice lists the basic configuration data.
In case that the -b option is found on the command line
the server argument is expected.
EXAMPLES
The following examples assume that tcpproxy is installed
on a machine with two network interface cards. One is the
external interface with the IP number 192.44.100.7 and the
other is the internal one with IP numbers 192.168.1.1 and
192.168.1.2 (virtual interfaces).
#
# /etc/tcpproxy.conf - sample configuration
#
#
# Define SMTP proxys ...
#
port 25
# ... for outgoing ...
#
interface 192.168.1.1
server mailrelay.provider.com
# ... and incoming email.
#
interface 192.44.100.7
server mail.domain.com
#
# There are also NNTP-Servers on the outside
#
port 119
interface 192.168.1.1
server nntp.provider.com
interface 192.168.2.1
server nntp.other-provider.com
#
# Users from the outside can access our internal
# POP3 server ...
#
port 110
interface 192.44.100.7
# ... but only trough a real application gateway.
#
exec /usr/local/sbin/pop3.proxy mail.domain.com
With this configuration file tcpproxy might be started
with
tcpproxy -s
to make tcpproxy bind itself to all the listed interfaces.
Another way of serving requests is to configure the ports
in /etc/inetd.conf and start tcpproxy without the -s
option from there. The proxy will then inspect it's con-
figuration file to see how the connection made by inetd
should be handled.
tcpproxy -b 192.44.100.7:79 /bin/date opens a date server
on the external interface. This service won't be avail-
able on the interfaces numbered 192.168.1.1 and .2 but the
service is still accessable from the internal network:
user@192.168.1.10/~ > telnet 192.44.100.7 79
<current date goes here>
If in inetd mode you want to provide a service only on one
network card you'll have to implement further access con-
trol with packet filters.
NOTES
tcpproxy doesn't forward the FTP protocol; use ftp.proxy
for this. It doesn't work with UDP protocols too, TCP
uses connection and UDP not - this is an imortant
difference. And furthermore tcpproxy doesn't protect you
against network attacks like buffer overflows against the
addressed server. You'll have to use application gateway
level proxys for that.
SEE ALSO
inetd(1).
20 March 2000 TCPPROXY(1)