tcp proxy

http://www.quietsche-entchen.de/cgi-bin/wiki.cgi/manpages/tcpproxy.1

+subject: tcpproxy - generic TCP proxy serverTCPPROXY(1)                                           TCPPROXY(1)NAME       tcpproxy - generic TCP proxy serverSYNOPSIS       tcpproxy [options] [server]DESCRIPTION       tcpproxy  is  a  generic  TCP proxy server.  It connects a       client and a server and forwards any data from the  client       to the server and vice versa.  tcpproxy doesn't care about       the data being transported.       If server begins with a `/' or `.' it's taken as  a  path-       name  to  a  program  that  acts  as a request handler for       incoming connections.  Otherwise server is interpreted  as       host[:port]  and  the  client  request is forwarded to the       given host and port.  If in this case port is omitted tcp-       proxy  uses  it's  own  server port as destination port on       host.       If tcpproxy has to start a local program it set the  envi-       ronment     variables     PROXY_PORT,     PROXY_INTERFACE,       PROXY_CLIENT and PROXY_CLIENTNAME with  the  data  of  the       current  connection.  The `PROXY_' prefix might be changed       with the command line option -v or the  setenv  configura-       tion directive.       tcpproxy  can  be either started from inetd(1) or act as a       standalone server listening  an  several  ports.   If  the       server  argument is missing tcpproxy reads it's configura-       tion file /etc/tcpproxy.conf and either forwards the  cur-       rent  connection  or  binds to the specified ports waiting       for client requests.CONFIGURATION FILE       The following directives define the global  configuration.       standalone [yes|no]              if  set  to  `yes'  the server binds to the defined              ports waiting for requests.  This is the default if              a configuration file is used.       The  uid and gid settings are only used if the user start-       ing tcpproxy is root, otherwise they are ignored.  If how-       ever  the  calling  user  is root and no settngs are found       tcpproxy uses it's internal default of -1 and -2  for  the       user and group id.  tcpproxy will not run as root.       The  following  directives  control the available services       and how they are served.       port port-number              defines a new port  where  tcpproxy  should  accept              client requests.       interface ip-number              defines  an  interface  on which connections on the              service port from the last port directive are  han-              dled.       rotate ip-start ip-end              defines  a range of IP numbers that is used for the              connection to the server.       server server[:port]              defines the server and  port  where  tcpproxy  will              forward  an  incoming  connection  to.   If port is              ommited the listening tcpproxy port is used.       uid numeric-uid              defines the  numeric  user  id  to  which  tcpproxy              changes after accepting a requests.       gid numeric-gid              same as uid but for the group id.       user username              instead  of  giving  numeric ids for user and group              for  a  particular  user  it's  name  can  be   set              directly.       exec command              defines a local command which is executed to handle              a request.       acp program              sets the access control program  that  is  used  to              grant or deny incoming connections.       logname name              sets a different syslog name.       setenv varprefix              defines the variable prefix.       timeout timeout              defines  a  different  timeout  in seconds than the              default of 60.       writefile filename              defines  the   basename   for   files   where   the              server/client communication is written.  debug is a              synonym for writefile  but  turns  also  tcpproxy's              debug option `-dfR' on.       For  a service configuration either server or exec must be       specified.  The timeout value is only used in  conjunction       with a server configuration and varprefix only if requests       are handled by a local program.  timeout, setenv  amd  acp       define  configuration  defaults  if they appear before the       first port directive.USER IDS       In version 1.1.5 the way user and group id's  are  handled       changed.   From  version 1.1.5 these ids are changed after       accepting a request and not after  binding  to  all  ports       before  accepting  anything.  This is however only done if       tcpproxy's user id is 0,  otherwise  tcpproxy  keeps  it's       current ids.  The ids which are used for a service request       are written to syslog.  The default values for uid/gid are       65535/65534 which is equal to -1/-2.ACCESS CONTROL       If  for  a port configuration an access control program is       set  this  program  is  executed  before  forwarding   the       request.   The acp can then decide if it grants (exit sta-       tus 0) or denies (exit status not 0) the access.  The  acp       can   additionaly   print  a  diagnostic  message  to  the       requesting client through it's standard output and to  the       tcpproxy through it's standard error.       The  PROXY_  variables  are set for the current connection       when the acp is called.OPTIONS       The following options are available:       -a program              sets program as access control program.       -b [interface:]port              tells tcpproxy that it should bind to port  on  the              given  interface.  If interface is omitted tcpproxy              will bind to all available interfaces.  -b  implies              -s.       -f config              sets  a different configuration file than /etc/tcp-              proxy.conf.       -l logname              sets the name under which tcpproxy writes  to  sys-              log.       -p     creates  the  pidfile  /var/run/tcpproxy.pid.  This              default name can be changed by giving the -p option              twice followed by the name of the pidfile.       -s     sets standalone (bind to ports and listen) mode.       -t timeout              defines  a  different  timeout  in seconds than the              default of 60 seconds for each connection.       -v varprefix              specifies a different variable prefix than `PROXY_'              for the request handler variables.       -w writefile              specifies  that  the client/server communication is              written to the file writefile.pid.log.       -y     clears the whole environment  before  starting  the              request handler.       -z     lists  the configured server ports and exits.  This              is useful if you want to shutdown the tcpproxy ser-              vices  with  either fuser(1) or netuser(1).  Giving              -z twice lists the basic configuration data.       In case that the -b option is found on  the  command  line       the server argument is expected.EXAMPLES       The  following  examples assume that tcpproxy is installed       on a machine with two network interface cards.  One is the       external interface with the IP number 192.44.100.7 and the       other is the internal one with IP numbers 192.168.1.1  and       192.168.1.2 (virtual interfaces).             #             # /etc/tcpproxy.conf - sample configuration             #             #             # Define SMTP proxys ...             #             port 25               # ... for outgoing ...               #               interface 192.168.1.1                 server mailrelay.provider.com               # ... and incoming email.               #               interface 192.44.100.7                 server mail.domain.com             #             # There are also NNTP-Servers on the outside             #             port 119                interface 192.168.1.1                  server nntp.provider.com                interface 192.168.2.1                  server nntp.other-provider.com             #             # Users from the outside can access our internal             # POP3 server ...             #             port 110               interface 192.44.100.7               #  ... but only trough a real application gateway.               #               exec /usr/local/sbin/pop3.proxy mail.domain.com       With this configuration file  tcpproxy  might  be  started       with            tcpproxy -s       to make tcpproxy bind itself to all the listed interfaces.       Another way of serving requests is to configure the  ports       in  /etc/inetd.conf  and  start  tcpproxy  without  the -s       option from there.  The proxy will then inspect it's  con-       figuration  file  to  see how the connection made by inetd       should be handled.       tcpproxy -b 192.44.100.7:79 /bin/date opens a date  server       on  the  external interface.  This service won't be avail-       able on the interfaces numbered 192.168.1.1 and .2 but the       service is still accessable from the internal network:             user@192.168.1.10/~ > telnet 192.44.100.7 79             <current date goes here>       If in inetd mode you want to provide a service only on one       network card you'll have to implement further access  con-       trol with packet filters.NOTES       tcpproxy  doesn't  forward the FTP protocol; use ftp.proxy       for this.  It doesn't work with  UDP  protocols  too,  TCP       uses  connection  and  UDP  not  -  this  is  an  imortant       difference.  And furthermore tcpproxy doesn't protect  you       against  network attacks like buffer overflows against the       addressed server.  You'll have to use application  gateway       level proxys for that.SEE ALSO       inetd(1).                          20 March 2000               TCPPROXY(1)