SOCKS5 problems

[Kevin Brown]

When my DSL got switched to PPP mode I no longer needed the linux box to act as
the Gateway/Firewall.  The external Cisco 675 DSL Router is plugged straight
into the hub and provides DHCP/NAT services for all the boxen behind it (windows
and linux).  IPChains could be used to pass packets from my internal net to the
external net when the Router was in Bridging mode.  The only thing my windows
and other linux machines needed to know was to use the IP of the internal
interface as the gateway and the DNS IPs to lookup hostnames.  No proxy client
was needed to be set up on any of the machines.  IPChains is used to block stuff
you don't want and to accept/forward stuff you do want.

#!/bin/bash
# Very Basic ipchains rule for doing Masquerading.
# First set the default policy for the forward chain to DENY so your machine 
# can't be used to gain access to your internal net
/sbin/ipchains -P forward DENY
# Now create the forward chain that will be accepted by IPChains
# The ! after the -d says anything NOT destined for my internal network
# should be forwarded to the Internet
/sbin/ipchains -A forward -i eth0 -d !10.0.0.0/24 -s 10.0.0.0/24 -j MASQ
# Set the kernel to allow Masquerading/Forwarding of packets
echo 1 > /proc/sys/net/ipv4/ip_forward

The above assumes that eth1 is the interface that is connected to your internal
LAN (other personal machines) and eth0 is the interface connected to the outside
world.

Check out the following How-To for IPChains (2.2.x kernel):
http://netfilter.filewatcher.org/ipchains/HOWTO.html

And try here for info on IPTables (2.4.x Kernels):
http://netfilter.samba.org/unreliable-guides/

Hope this information helps, I wasn't shooting down your idea of using SOCKS,
just asking if you had looked into IPChains/IPTables to see if they could've
done what you wanted.

All the information I've provided may still only be usable with a recompile of
the kernel.  Hopefully the IPChains how-to will have the information needed to
check if the kernel is setup to do masquerading.  By default RedHat's is
(hopefully mandrake and debian also enable it by default).

"Welcome to the wonderful world of linux.  If you can find one way to do it, I
can show you three more that are neither better nor worse, just different."
	Not true of me, but a nice saying...

>     Once again the mysterious and somewhat misleading nomenclature of Linux modules may have mislead me.  I was under the impression that
> IPChains existed mainly to filter out the "bad stuff" that hackers may send my way.  I didn't think of using it to move packets to my other
> boxes.  I guess it makes sense that I can use IPChains to connect to my other Linux box, but what about a Windows box?  I know they have SOCKS
> clients for Windows, and I also read that Netscape was SOCKS-enabled.  Also, in my "Linux Firewalls" book (by Ziegler) the only entry they in
> the index under "Proxy" was SOCKS. That's why I assumed that SOCKS was the way to do it.
>     Do you mean to say that IPChains no longer worked as a proxy after your DSL service changed to PPPoE?  That's what I've got, I'm afraid.
>     Guess I need to read the chapter on IP Chains in my firewall book.  Still, I'm pretty frustrated because it seems like this SOCKS stuff
> ALMOST works.   Is there anyone out there that's using it successfully?

> > I'm not an expert on Socks, but wouldn't it be easier to implement IPchains
> > (2.2.x kernels) or whatever the equivalent is in the 2.4.x kernels (can't recall
> > the package for 2.4).  I'm assuming you are trying to route multiple boxes
> > through a single DSL or dial up connection connected to a linux machine.  This
> > is what I had done here till Qwest (then USWest) switched the DSL router from
> > bridging to PPP mode and I moved my linux box to just play around with (DEC
> > Alpha Multia).
> >
> > > Last week I sent a message detailing my problems getting the SOCKS5 proxy working on my LAN.   I encounter this funny problem regardless
> > > of whether I'm trying to connect to the firewall from SocksCap on my Windows machine or Netscape on my other Linux box.  The message says
> > > that the proxy has received
> > > a request with an "Incompatible Version Number 71."
> > >
> > > Now I've done a bit more homework since then.  I checked the SOCKS5 source and discovered that the
> > > client was supposed to be sending its SOCKS version (either 4 or 5) to the host.  It seems unlikely that
> > > BOTH Netscape and SocksCap would be perpetrating this identical error.  So my guess would be that I
> > > somehow built Socks5 incorrectly.
> > >
> > > I reran the build, this time with the "with-threads" option (which I should've done the first time) and the install.   I then ran the
> > > Socks5 daemon in debug mode.  The log file no longer included an entry about having not been compiled with the threads option, but
> > > otherwise the problems were the same.  I still had the clients
> > > telling SOCKS5 that they were "socks 71" clients.
> > >
> > > I was wondering if there were any SOCKS gurus out there who could help me figure out what I might have done wrong.  I'm running Mandrake
> > > 7.0 on the firewall (and the client box.)  I've reviewed the README and INSTALL files and don't see anything about telling the "configure"
> > > script that I'm using Linux.   The script appears to be smart enough to look at all the library, compiler, and linker parameters of the
> > > system in question, but that seems like that'd be a pretty difficult thing to get right universally.  I wonder if there's some kind of
> > > "endianness" or other setting I've neglected.  (I did check the "config.log" file, it complains about not being able to find a certain
> > > thread library, but if that's the case, why does the thing compile and run?)
> > >
> > > I've included the previous message for reference.  Thanks in advance for any help.
> > >
> > > Vaughn Treude
> > >
> > > > Hello everyone:
> > > >     I'm trying to get SOCKS5 working on my firewall machine so the other machines on my LAN can access the internet.  I've downloaded,
> > > > compiled, and installed SOCKS5 from the NEC website; it appears to start OK.  I also downloaded SOCKSCAP from NEC and put it on one of
> > > > my Windows machines.  I added Explorer to the list of SocksCap clients and attempted to start it.   But no matter how closely I follow
> > > > the instructions, the authentification fails and kicks me out!   I ran socks5 in debug mode, and here's some of the output:  As you can
> > > > see, it seems to be working OK until it gets that mysterious error "Incompatible Version Number 71."
> > > > Any ideas on what I might be doing wrong?