Ftp Connection through squid

ajayan · 06-25-2009, 04:45 AM

Hi All
I am facing some problem with establishing ftp connection through my squid.My OS is Centos 5.2 and i have 2 lan cards.eth0 holds local and eth1 holds Public.I have enabled ipforwading in sysctl.conf.i have entered only masquerading rule for testing.The problem is i can upload to my remote ftp sites from this proxy machine.But not from my local machines.I am using Filezilla and WS_FTp as ftp client tools.I have properly given proxy ip and port int Proxy Settings.When i checked my squid access.log the messages are

1245872884.770 25 91.0.0.77 TCP_DENIED/403 1414 CONNECT 69.16.113.125:21 - NONE/- text/html

And Filezilla showing this error
Status: Connection with proxy established, performing handshake...
Response: Proxy reply: HTTP/1.0 403 Forbidden

My squid.conf is posted here

#Recommended minimum configuration:
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
acl ftp proto FTP

#acl our_networks src 192.168.1.0/24 192.168.2.0/24
acl exam src 91.0.0.0/24
http_access allow exam
http_access allow ftp
always_direct allow ftp
# And finally deny all other access to this proxy
http_access allow localhost
http_access deny all

These are the modules loaded via modeprobe

[root@proxy ~]# lsmod | grep ftp
ip_nat_ftp 7361 0
ip_conntrack_ftp 11697 1 ip_nat_ftp
ip_nat 20973 3 ip_nat_ftp,ipt_MASQUERADE,iptable_nat
ip_conntrack 53025 6 ip_nat_ftp,ip_conntrack_ftp,ip_conntrack_netbios_ns,ipt_MASQUERADE,iptable_nat,ip_nat

# /etc/sysconfig/iptables-config
IPTABLES_MODULES="ip_conntrack_netbios_ns ip_conntrack_ftp ip_nat_ftp"

Iptable Rule

iptables --table nat --append POSTROUTING --out-interface eth0 -j MASQUERADE

Other things are Working fine ie,http,https etc.How can i solve this problem

Any Help will be appreciated.

win32sux · 06-26-2009, 02:01 PM

What happens if you make these two additions?

Code:

#Recommended minimum configuration:
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
acl ftp proto FTP
acl ftp_port port 21

#acl our_networks src 192.168.1.0/24 192.168.2.0/24
acl exam src 91.0.0.0/24
http_access allow exam
http_access allow ftp_port CONNECT
http_access allow ftp
always_direct allow ftp
# And finally deny all other access to this proxy
http_access allow localhost
http_access deny all

Remember to restart Squid in order for changes made to squid.conf to take effect.