当前位置: 首页 > 工具软件 > TCPproxy > 使用案例 >

tcp proxy

廖令
2023-12-01
http://www.quietsche-entchen.de/cgi-bin/wiki.cgi/manpages/tcpproxy.1
+subject: tcpproxy - generic TCP proxy server

TCPPROXY(1)                                           TCPPROXY(1)



NAME
       tcpproxy - generic TCP proxy server

SYNOPSIS
       tcpproxy [options] [server]

DESCRIPTION
       tcpproxy  is  a  generic  TCP proxy server.  It connects a
       client and a server and forwards any data from the  client
       to the server and vice versa.  tcpproxy doesn't care about
       the data being transported.

       If server begins with a `/' or `.' it's taken as  a  path-
       name  to  a  program  that  acts  as a request handler for
       incoming connections.  Otherwise server is interpreted  as
       host[:port]  and  the  client  request is forwarded to the
       given host and port.  If in this case port is omitted tcp-
       proxy  uses  it's  own  server port as destination port on
       host.

       If tcpproxy has to start a local program it set the  envi-
       ronment     variables     PROXY_PORT,     PROXY_INTERFACE,
       PROXY_CLIENT and PROXY_CLIENTNAME with  the  data  of  the
       current  connection.  The `PROXY_' prefix might be changed
       with the command line option -v or the  setenv  configura-
       tion directive.

       tcpproxy  can  be either started from inetd(1) or act as a
       standalone server listening  an  several  ports.   If  the
       server  argument is missing tcpproxy reads it's configura-
       tion file /etc/tcpproxy.conf and either forwards the  cur-
       rent  connection  or  binds to the specified ports waiting
       for client requests.

CONFIGURATION FILE
       The following directives define the global  configuration.

       standalone [yes|no]
              if  set  to  `yes'  the server binds to the defined
              ports waiting for requests.  This is the default if
              a configuration file is used.

       The  uid and gid settings are only used if the user start-
       ing tcpproxy is root, otherwise they are ignored.  If how-
       ever  the  calling  user  is root and no settngs are found
       tcpproxy uses it's internal default of -1 and -2  for  the
       user and group id.  tcpproxy will not run as root.

       The  following  directives  control the available services
       and how they are served.

       port port-number
              defines a new port  where  tcpproxy  should  accept
              client requests.

       interface ip-number
              defines  an  interface  on which connections on the
              service port from the last port directive are  han-
              dled.

       rotate ip-start ip-end
              defines  a range of IP numbers that is used for the
              connection to the server.

       server server[:port]
              defines the server and  port  where  tcpproxy  will
              forward  an  incoming  connection  to.   If port is
              ommited the listening tcpproxy port is used.

       uid numeric-uid
              defines the  numeric  user  id  to  which  tcpproxy
              changes after accepting a requests.

       gid numeric-gid
              same as uid but for the group id.

       user username
              instead  of  giving  numeric ids for user and group
              for  a  particular  user  it's  name  can  be   set
              directly.

       exec command
              defines a local command which is executed to handle
              a request.

       acp program
              sets the access control program  that  is  used  to
              grant or deny incoming connections.

       logname name
              sets a different syslog name.

       setenv varprefix
              defines the variable prefix.

       timeout timeout
              defines  a  different  timeout  in seconds than the
              default of 60.

       writefile filename
              defines  the   basename   for   files   where   the
              server/client communication is written.  debug is a
              synonym for writefile  but  turns  also  tcpproxy's
              debug option `-dfR' on.

       For  a service configuration either server or exec must be
       specified.  The timeout value is only used in  conjunction
       with a server configuration and varprefix only if requests
       are handled by a local program.  timeout, setenv  amd  acp
       define  configuration  defaults  if they appear before the
       first port directive.

USER IDS
       In version 1.1.5 the way user and group id's  are  handled
       changed.   From  version 1.1.5 these ids are changed after
       accepting a request and not after  binding  to  all  ports
       before  accepting  anything.  This is however only done if
       tcpproxy's user id is 0,  otherwise  tcpproxy  keeps  it's
       current ids.  The ids which are used for a service request
       are written to syslog.  The default values for uid/gid are
       65535/65534 which is equal to -1/-2.

ACCESS CONTROL
       If  for  a port configuration an access control program is
       set  this  program  is  executed  before  forwarding   the
       request.   The acp can then decide if it grants (exit sta-
       tus 0) or denies (exit status not 0) the access.  The  acp
       can   additionaly   print  a  diagnostic  message  to  the
       requesting client through it's standard output and to  the
       tcpproxy through it's standard error.

       The  PROXY_  variables  are set for the current connection
       when the acp is called.

OPTIONS
       The following options are available:

       -a program
              sets program as access control program.

       -b [interface:]port
              tells tcpproxy that it should bind to port  on  the
              given  interface.  If interface is omitted tcpproxy
              will bind to all available interfaces.  -b  implies
              -s.

       -f config
              sets  a different configuration file than /etc/tcp-
              proxy.conf.

       -l logname
              sets the name under which tcpproxy writes  to  sys-
              log.

       -p     creates  the  pidfile  /var/run/tcpproxy.pid.  This
              default name can be changed by giving the -p option
              twice followed by the name of the pidfile.

       -s     sets standalone (bind to ports and listen) mode.

       -t timeout
              defines  a  different  timeout  in seconds than the
              default of 60 seconds for each connection.

       -v varprefix
              specifies a different variable prefix than `PROXY_'
              for the request handler variables.

       -w writefile
              specifies  that  the client/server communication is
              written to the file writefile.pid.log.

       -y     clears the whole environment  before  starting  the
              request handler.

       -z     lists  the configured server ports and exits.  This
              is useful if you want to shutdown the tcpproxy ser-
              vices  with  either fuser(1) or netuser(1).  Giving
              -z twice lists the basic configuration data.

       In case that the -b option is found on  the  command  line
       the server argument is expected.

EXAMPLES
       The  following  examples assume that tcpproxy is installed
       on a machine with two network interface cards.  One is the
       external interface with the IP number 192.44.100.7 and the
       other is the internal one with IP numbers 192.168.1.1  and
       192.168.1.2 (virtual interfaces).

             #
             # /etc/tcpproxy.conf - sample configuration
             #

             #
             # Define SMTP proxys ...
             #
             port 25

               # ... for outgoing ...
               #
               interface 192.168.1.1
                 server mailrelay.provider.com

               # ... and incoming email.
               #
               interface 192.44.100.7
                 server mail.domain.com

             #
             # There are also NNTP-Servers on the outside
             #
             port 119

                interface 192.168.1.1
                  server nntp.provider.com

                interface 192.168.2.1
                  server nntp.other-provider.com

             #
             # Users from the outside can access our internal
             # POP3 server ...
             #
             port 110

               interface 192.44.100.7

               #  ... but only trough a real application gateway.
               #
               exec /usr/local/sbin/pop3.proxy mail.domain.com

       With this configuration file  tcpproxy  might  be  started
       with

            tcpproxy -s

       to make tcpproxy bind itself to all the listed interfaces.
       Another way of serving requests is to configure the  ports
       in  /etc/inetd.conf  and  start  tcpproxy  without  the -s
       option from there.  The proxy will then inspect it's  con-
       figuration  file  to  see how the connection made by inetd
       should be handled.

       tcpproxy -b 192.44.100.7:79 /bin/date opens a date  server
       on  the  external interface.  This service won't be avail-
       able on the interfaces numbered 192.168.1.1 and .2 but the
       service is still accessable from the internal network:

             user@192.168.1.10/~ > telnet 192.44.100.7 79
             <current date goes here>

       If in inetd mode you want to provide a service only on one
       network card you'll have to implement further access  con-
       trol with packet filters.

NOTES
       tcpproxy  doesn't  forward the FTP protocol; use ftp.proxy
       for this.  It doesn't work with  UDP  protocols  too,  TCP
       uses  connection  and  UDP  not  -  this  is  an  imortant
       difference.  And furthermore tcpproxy doesn't protect  you
       against  network attacks like buffer overflows against the
       addressed server.  You'll have to use application  gateway
       level proxys for that.

SEE ALSO
       inetd(1).



                          20 March 2000               TCPPROXY(1)
 类似资料:

相关阅读

相关文章

相关问答