tcpproxy

tcpproxy project is a proxy (or tunnel or redirector) for TCP/IP protocols. In standalone mode it waits for incoming connections forwarding them to another machine or starting a local server program.

Several programs with this function or something similiar are around. However, tcpproxy's design goal was to let it operate on some kind of firewall.

Here are some key features of "tcpproxy":

· Extensive logging to syslog,
· Interface based configuration,
· can bind to a particular interface on a multi-homed host,
· set's environment variables before calling a local server program,
· support for external access control programs,
· can be started from inetd or run in standalone mode.

tcpproxy was created with a transparent TCP proxy in mind. When it's used to start local server programs (e.g. an FTP server) it can however also work as "port multiplexer" since it requires different configurations for different interfaces (there are no defaults).

Interface based configuration

tcpproxy's services are always bound to a certain interface. Suppose you have a multi-homed host (e.g. a firewall) with the IP numbers 192.168.0.1 (part of your LAN) and 10.11.12.13 (connected to the Internet). The configuration
port 119

interface 192.168.0.1
server news.provider.com

forwards then any connection made to your local interface on the NNTP port to the machine news.provider.com. The provider's news server appears now to run on your firewall. Furthermore, if you for each port only a single interface where you want to have tcpproxy's service, tcpproxy will not even bind to the others. For the example above this means that someone trying to connect to your external interface would only see a closed port.

Now suppose you want to use a second NNTP server from your LAN. You would first configure a second IP number on your internal interface, e.g. 192.168.0.2 and then reconfigure tcpproxy:

port 119
interface 192.168.0.1
server news.provider.com
interface 192.168.0.2
server news.freshmeat.com

Depending on the incoming interface of a client request the connection is forwarded to one of the servers.

In this case the firewall's external interface is opened on port 119 and a port scan would show that there's some kind of service. If however someone connects to the outer interface the connection is immediatly dropped, simply because tcpproxy isn't configured to handle request on the interface 10.11.12.13 and tcpproxy doesn't accept service defaults.

If you like you can extend this configuration to

port 119
interface 192.168.0.1
server news.provider.com
interface 192.168.0.2
server news.freshmeat.com
interface 10.11.12.13
exec /bin/date

for the scanner's amusement. But you might also want to write a message to your system's syslog.

Access control

tcpproxy implements access control by calling external, user provided, script, the so called "access control programs" (or in short: acp's). I implemented them because I wanted to be able to deny service usage based on anything I like, not just on the client's IP number or it's name.