Hi, I need to log every FTP transfer done thru a netfilter/iptables box and to make this as transparent as possible from a client prospective.
I'm a little bit paranoïd about what firewalls should be and I don't want them to do anything else that firewalling (no other service running on the box than sshd). I thought of a couple of solutions : 1) - Have the ip_conntrack_ftp log any connection and transfer attempt. No proxying, but I would get the expected result. Is it implemented yet? 2)- Use a transparent-capable FTP proxy server. Thanks to HTTP/1.1 that includes the destination hostname in its header, I could set up transparent HTTP proxying using squid on another box. But as I understand, transparent FTP proxying (not over HTTP) only works with the IP header and thus usually requires the proxy box to handle traffic. Which comes in contradiction with what's written above (no servie on routing/firewalling boxes). Then I thought of using policy routing to forward the ip packets directed to tcp port 21 to the proxy box WITHOUT MODIFYING the DST IP address. Could be funny and tricky, but I would need a way to do the same for the data connections. Oh, of course, I could use a "-m state --state RELATED" rule to mark or mangle or transmit the packets to user space so that policy routing stuff can do it, but I've no idea how to do it. Any hint? Thanks for any comments Guillaume
