Linux as a Proxy Server

How do you keep unwanted visitors out of your network while still giving your users the Internet access they rely on? The answer is a firewall equipped with a proxy server.
The Socks5 Proxy Server

The Socks5 server is freely available from http://www.socks.nec.com/. There are several advantages to using the Socks5 server. Many TCP/IP applications have support for Socks5 proxies built in. There is an INTERNIC RFC for it (RFC1928). It proxies all services through one port, allowing you to block incoming packets on most other ports. Finally, it has support for the most commonly used services that your users will want: HTTP, FTP, TELNET, finger, archie, whois, ping and traceroute. Unix clients are included and compiled with the source distribution. A client application for Win 3.11, Win95 and WinNT is also available for download. If you have custom applications, you can use the Socks5 library to compile Socks5 support into your application.

Compiling

I was able to compile the source distribution for Socks5 correctly the first time. A configure script is used to set up all the necessary flags, parameters and Makefiles for your system. Afterward, it's as simple as executing make and then make install to put all the binaries and man pages into the /usr/local/ directory tree. The following are the steps required to build and install the Socks5 software:

tar -xvzf socks5-beta-0.17.2-exportable.tar.gz
cd socks5-beta-0.17.2-exportable
./configure
make
su
make install
Configuration

The server can be started via inetd or run as a daemon. Running as a daemon has the advantage of increased performance to the user. Running via inetd leaves the firewall less burdened when not in use. If your site is like mine, there is never a time when the Internet is not being accessed. I configured the Socks5 server to run as a daemon and added the command to start the server to my /etc/rc.d/rc.local file.

Configuration of the firewall is done in two steps. First, there is a configuration file on the server that must be set up specifically for your site. The default file is /etc/socks5.conf (see Listing 2). The man page gives information on the appropriate syntax, and there are also example configurations at http://www.socks.nec.com/v5examples.html. Second, there are configurations that must be done on each of your client workstations. On Unix clients, this is the /etc/libsocks5.conf file (see Listing 3).

Listing 2

Listing 3

On your Win-based machines, several different things need to be done. If all of your users limit their Internet usage to the Web, you can keep your configuration limited to the options available in both Netscape Navigator and Microsoft Internet Explorer. For Netscape Navigator, the appropriate settings are located in “Options”-> “Network Settings”->“Proxies”. Select “Manual configuration” and then enter the Socks5 server IP address with port 1080 (note: this is the default port, and can be configured differently at compile time). For Netscape Navigator 4.0, the settings are found under “Edit”->“Preferences”->“Advanced”-> “Proxies”. The remainder of the configuration is the same as above. For MS Internet Explorer, select “View”->“Options”->“Connection”. Select “Connect through a proxy server”. Enter the IP address of your Socks5 server as well as the port 1080.

If your user's demands go beyond simple Web access, the download site for the Socks5 software also contains two versions of SocksCap, the Windows redirector: SocksCap16 and SocksCap32. The SocksCap16 software is used for Windows 3.11 clients while SocksCap32 is used on both Win95 and WinNT. The SocksCap16 application only needs to be running at the same time as the Winsock application in order to proxy the application. The SocksCap32 application, however, must be started first, and the Winsock application launched from within SocksCap32. Alternately, you can create a shortcut to the desktop or the “Start” menu that calls the Winsock application profile from the command line:

C:\Program Files\SocksCap\sc32.exe ws_ftp

Both versions of SocksCap require you to enter the appropriate IP address and port to your server when you start the application for the first time.

The TIS Firewall Toolkit

The Trusted Information Systems Firewall Toolkit (TIS fwtk) is another widely-used, freely-available, proxy-server solution. The TIS firewall toolkit provides very specific proxies for each service, giving you the ability to set up just an HTTP proxy server, for example, if you wish to limit your users to just that service. When the package builds, the proxies that are built include an HTTP (http-gw), FTP (ftp-gw), TELNET (tn-gw), rlogin (rlogin-gw), X (x-gw) and generic proxy (plug-gw). Also included is a secure replacement for sendmail (smap) as well as an authentication module (authsrv). The generic proxy gives you the ability to configure proxies for specific machines and ports. Possible uses for this proxy could be proxying Usenet news as well as accessing e-mail through the POP3 protocol. (Socks5 does not include support for either News or POP3.)

______________________

Comments

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

i configure squid proxy

Anonymous's picture

i configure squid proxy server, it work propely but my client could not able to download more than 20mb size video file. please help me and give me a solution.

http://www.linuxjournal.com/f

Anonymous's picture

about proxy through squid

reena ahuja's picture

i configure linux proxy server through squid.but i install windows XP in my client pc.
And 1 error comes access denied.i configure proper ACl in squid.conf.so please solve my problem as early as possible.

linx as web server

Anonymous's picture

we want to setup a linux web server with clients windows. Kindly advise us ,
If the modem ip assigned is 192.168.6.100
then will it work this way
etho – which is connected to modem (the external card) – 192.168.6.1
Default gateway -192.168.6.100
eth1 – which is connected to network (motherboard card) – 192.168.7.1
eth1:1 – which is virtual lan - 192.168.6.2
Default gateway – 192.168.6.1 for eht1 & eth1:1

& the windows xp ip will be 192.168.6.x
with default gateway as192.168.6.1
& in internet explorer tools  internet options  connections  192.168.6.1 with port 3128

proxy

Anonymous's picture

It became useful first to distinguish among different kinds of IP vpn based on the administrative relationships, not the technology, interconnecting the nodes. Once the relationships were defined, different technologies could be used, depending on requirements such as security and quality of service.

Re: Linux as a Proxy Server

Anonymous's picture

the solution was good. but iam using squid as my proxy server so icouldn,t get benifitted. if you can sent me some ideas about squid i would be really thankfull.

mail venkat02k2@yahoo.com

Squid with Firewall

Rayudu's picture

Please use Shorewall as your firewall. This is basically a iptables wraper software making the deadly iptables easier. You can drop all the Ipnos you do't want. They will not reach your server more so your squid.

With best Wishes,

Rayudu, Machilipatnam, India.

Webinar
One Click, Universal Protection: Implementing Centralized Security Policies on Linux Systems

As Linux continues to play an ever increasing role in corporate data centers and institutions, ensuring the integrity and protection of these systems must be a priority. With 60% of the world's websites and an increasing share of organization's mission-critical workloads running on Linux, failing to stop malware and other advanced threats on Linux can increasingly impact an organization's reputation and bottom line.

Learn More

Sponsored by Bit9

Webinar
Linux Backup and Recovery Webinar

Most companies incorporate backup procedures for critical data, which can be restored quickly if a loss occurs. However, fewer companies are prepared for catastrophic system failures, in which they lose all data, the entire operating system, applications, settings, patches and more, reducing their system(s) to “bare metal.” After all, before data can be restored to a system, there must be a system to restore it to.

In this one hour webinar, learn how to enhance your existing backup strategies for better disaster recovery preparedness using Storix System Backup Administrator (SBAdmin), a highly flexible bare-metal recovery solution for UNIX and Linux systems.

Learn More

Sponsored by Storix