Linux as a Proxy Server
The Socks5 server is freely available from http://www.socks.nec.com/. There are several advantages to using the Socks5 server. Many TCP/IP applications have support for Socks5 proxies built in. There is an INTERNIC RFC for it (RFC1928). It proxies all services through one port, allowing you to block incoming packets on most other ports. Finally, it has support for the most commonly used services that your users will want: HTTP, FTP, TELNET, finger, archie, whois, ping and traceroute. Unix clients are included and compiled with the source distribution. A client application for Win 3.11, Win95 and WinNT is also available for download. If you have custom applications, you can use the Socks5 library to compile Socks5 support into your application.
I was able to compile the source distribution for Socks5 correctly the first time. A configure script is used to set up all the necessary flags, parameters and Makefiles for your system. Afterward, it's as simple as executing make and then make install to put all the binaries and man pages into the /usr/local/ directory tree. The following are the steps required to build and install the Socks5 software:
tar -xvzf socks5-beta-0.17.2-exportable.tar.gz cd socks5-beta-0.17.2-exportable ./configure make su make install
The server can be started via inetd or run as a daemon. Running as a daemon has the advantage of increased performance to the user. Running via inetd leaves the firewall less burdened when not in use. If your site is like mine, there is never a time when the Internet is not being accessed. I configured the Socks5 server to run as a daemon and added the command to start the server to my /etc/rc.d/rc.local file.
Configuration of the firewall is done in two steps. First, there is a configuration file on the server that must be set up specifically for your site. The default file is /etc/socks5.conf (see Listing 2). The man page gives information on the appropriate syntax, and there are also example configurations at http://www.socks.nec.com/v5examples.html. Second, there are configurations that must be done on each of your client workstations. On Unix clients, this is the /etc/libsocks5.conf file (see Listing 3).
On your Win-based machines, several different things need to be done. If all of your users limit their Internet usage to the Web, you can keep your configuration limited to the options available in both Netscape Navigator and Microsoft Internet Explorer. For Netscape Navigator, the appropriate settings are located in “Options”-> “Network Settings”->“Proxies”. Select “Manual configuration” and then enter the Socks5 server IP address with port 1080 (note: this is the default port, and can be configured differently at compile time). For Netscape Navigator 4.0, the settings are found under “Edit”->“Preferences”->“Advanced”-> “Proxies”. The remainder of the configuration is the same as above. For MS Internet Explorer, select “View”->“Options”->“Connection”. Select “Connect through a proxy server”. Enter the IP address of your Socks5 server as well as the port 1080.
If your user's demands go beyond simple Web access, the download site for the Socks5 software also contains two versions of SocksCap, the Windows redirector: SocksCap16 and SocksCap32. The SocksCap16 software is used for Windows 3.11 clients while SocksCap32 is used on both Win95 and WinNT. The SocksCap16 application only needs to be running at the same time as the Winsock application in order to proxy the application. The SocksCap32 application, however, must be started first, and the Winsock application launched from within SocksCap32. Alternately, you can create a shortcut to the desktop or the “Start” menu that calls the Winsock application profile from the command line:
C:\Program Files\SocksCap\sc32.exe ws_ftp
Both versions of SocksCap require you to enter the appropriate IP address and port to your server when you start the application for the first time.
The Trusted Information Systems Firewall Toolkit (TIS fwtk) is another widely-used, freely-available, proxy-server solution. The TIS firewall toolkit provides very specific proxies for each service, giving you the ability to set up just an HTTP proxy server, for example, if you wish to limit your users to just that service. When the package builds, the proxies that are built include an HTTP (http-gw), FTP (ftp-gw), TELNET (tn-gw), rlogin (rlogin-gw), X (x-gw) and generic proxy (plug-gw). Also included is a secure replacement for sendmail (smap) as well as an authentication module (authsrv). The generic proxy gives you the ability to configure proxies for specific machines and ports. Possible uses for this proxy could be proxying Usenet news as well as accessing e-mail through the POP3 protocol. (Socks5 does not include support for either News or POP3.)
- One Port to Rule Them All!
- Privacy Is Personal
- PHP for Non-Developers
- Secure Server Deployments in Hostile Territory
- Linux Kernel 4.1 Released
- Django Templates
- July 2015 Issue of Linux Journal: Mobile
- A Code Boot Camp for Underprivileged Kids
- Practical Books for the Most Technical People on the Planet
- diff -u: What's New in Kernel Development