Kevin:
Thanks for the suggestion. I'll check out the HOWTO you mentioned.
I'm assuming that in your new situation, any filtering would have tobe done
on each box, is that correct? So I'm thinking I still might want to do it
with my firewall, and localize the filtering there. (Besides, my hub's
full!)
I am certainly not set on the idea of using SOCKS. I just got the
erroneous impression that this was the best way to do it. I was checking
the SOCKS FAQ again on the NEC site, and this time I found my error. It
said that the error was caused because some client was attempting to use
SOCKS as an HTTP server. If that's not possible, SOCKS seems to be pretty
obsolete. On the other hand, if the error was caused because the traffic
was not routed correctly through the SOCKS client program, the FAQ should
indicate that. Whoever wrote it is assuming that the reader has a fair bit
of knowledge already (so why would such an expert be reading the FAQ?) I
had sent a brief rant on this subject, which got held up for moderator
approval (because I subscribed under my company alias, so the software
thinks I'm not a list member.) If the aforementioned rant does get posted,
keep in mind that I appreciate your help; I was just frustrated because I'd
wasted so much time on SOCKS. This is not the first time I was led astray
by imcomplete information and my lack of context. For example, is
Application X intended for the casual user, serious hacker, or professional
web site provider? And the website postings may be old enough that a new
and better method has completely superseded the old one. Maybe what we
need is a Linux glossary, to translate some of these terms into English for
the Linux neophyte. How-to references are very valuable, but how do you
know which how-to you want to achieve a particular goal?
I've also been told that there's also an "IP Masquerading" how-to that
my be helpful. Just in case anybody else reading this has a similar
problem.
Thanks,
Vaughn Treude
----- Original Message -----
From: "Kevin Brown" <kevin_brown@qwest.net>
To: <plug-discuss@lists.PLUG.phoenix.az.us>
Sent: Wednesday, July 11, 2001 11:28 PM
Subject: Re: SOCKS5 problems
> When my DSL got switched to PPP mode I no longer needed the linux box to
act as
> the Gateway/Firewall. The external Cisco 675 DSL Router is plugged
straight
> into the hub and provides DHCP/NAT services for all the boxen behind it
(windows
> and linux). IPChains could be used to pass packets from my internal net
to the
> external net when the Router was in Bridging mode. The only thing my
windows
> and other linux machines needed to know was to use the IP of the internal
> interface as the gateway and the DNS IPs to lookup hostnames. No proxy
client
> was needed to be set up on any of the machines. IPChains is used to block
stuff
> you don't want and to accept/forward stuff you do want.
>
> #!/bin/bash
> # Very Basic ipchains rule for doing Masquerading.
> # First set the default policy for the forward chain to DENY so your
machine
> # can't be used to gain access to your internal net
> /sbin/ipchains -P forward DENY
> # Now create the forward chain that will be accepted by IPChains
> # The ! after the -d says anything NOT destined for my internal network
> # should be forwarded to the Internet
> /sbin/ipchains -A forward -i eth0 -d !10.0.0.0/24 -s 10.0.0.0/24 -j MASQ
> # Set the kernel to allow Masquerading/Forwarding of packets
> echo 1 > /proc/sys/net/ipv4/ip_forward
>
> The above assumes that eth1 is the interface that is connected to your
internal
> LAN (other personal machines) and eth0 is the interface connected to the
outside
> world.
>
> Check out the following How-To for IPChains (2.2.x kernel):
> http://netfilter.filewatcher.org/ipchains/HOWTO.html
>
> And try here for info on IPTables (2.4.x Kernels):
> http://netfilter.samba.org/unreliable-guides/
>
> Hope this information helps, I wasn't shooting down your idea of using
SOCKS,
> just asking if you had looked into IPChains/IPTables to see if they
could've
> done what you wanted.
>
> All the information I've provided may still only be usable with a
recompile of
> the kernel. Hopefully the IPChains how-to will have the information
needed to
> check if the kernel is setup to do masquerading. By default RedHat's is
> (hopefully mandrake and debian also enable it by default).
>
> "Welcome to the wonderful world of linux. If you can find one way to do
it, I
> can show you three more that are neither better nor worse, just
different."
> Not true of me, but a nice saying...
>
> > Once again the mysterious and somewhat misleading nomenclature of
Linux modules may have mislead me. I was under the impression that
> > IPChains existed mainly to filter out the "bad stuff" that hackers may
send my way. I didn't think of using it to move packets to my other
> > boxes. I guess it makes sense that I can use IPChains to connect to my
other Linux box, but what about a Windows box? I know they have SOCKS
> > clients for Windows, and I also read that Netscape was SOCKS-enabled.
Also, in my "Linux Firewalls" book (by Ziegler) the only entry they in
> > the index under "Proxy" was SOCKS. That's why I assumed that SOCKS was
the way to do it.
> > Do you mean to say that IPChains no longer worked as a proxy after
your DSL service changed to PPPoE? That's what I've got, I'm afraid.
> > Guess I need to read the chapter on IP Chains in my firewall book.
Still, I'm pretty frustrated because it seems like this SOCKS stuff
> > ALMOST works. Is there anyone out there that's using it successfully?
>
> > > I'm not an expert on Socks, but wouldn't it be easier to implement
IPchains
> > > (2.2.x kernels) or whatever the equivalent is in the 2.4.x kernels
(can't recall
> > > the package for 2.4). I'm assuming you are trying to route multiple
boxes
> > > through a single DSL or dial up connection connected to a linux
machine. This
> > > is what I had done here till Qwest (then USWest) switched the DSL
router from
> > > bridging to PPP mode and I moved my linux box to just play around with
(DEC
> > > Alpha Multia).
> > >
> > > > Last week I sent a message detailing my problems getting the SOCKS5
proxy working on my LAN. I encounter this funny problem regardless
> > > > of whether I'm trying to connect to the firewall from SocksCap on my
Windows machine or Netscape on my other Linux box. The message says
> > > > that the proxy has received
> > > > a request with an "Incompatible Version Number 71."
> > > >
> > > > Now I've done a bit more homework since then. I checked the SOCKS5
source and discovered that the
> > > > client was supposed to be sending its SOCKS version (either 4 or 5)
to the host. It seems unlikely that
> > > > BOTH Netscape and SocksCap would be perpetrating this identical
error. So my guess would be that I
> > > > somehow built Socks5 incorrectly.
> > > >
> > > > I reran the build, this time with the "with-threads" option (which I
should've done the first time) and the install. I then ran the
> > > > Socks5 daemon in debug mode. The log file no longer included an
entry about having not been compiled with the threads option, but
> > > > otherwise the problems were the same. I still had the clients
> > > > telling SOCKS5 that they were "socks 71" clients.
> > > >
> > > > I was wondering if there were any SOCKS gurus out there who could
help me figure out what I might have done wrong. I'm running Mandrake
> > > > 7.0 on the firewall (and the client box.) I've reviewed the README
and INSTALL files and don't see anything about telling the "configure"
> > > > script that I'm using Linux. The script appears to be smart enough
to look at all the library, compiler, and linker parameters of the
> > > > system in question, but that seems like that'd be a pretty difficult
thing to get right universally. I wonder if there's some kind of
> > > > "endianness" or other setting I've neglected. (I did check the
"config.log" file, it complains about not being able to find a certain
> > > > thread library, but if that's the case, why does the thing compile
and run?)
> > > >
> > > > I've included the previous message for reference. Thanks in advance
for any help.
> > > >
> > > > Vaughn Treude
> > > >
> > > > > Hello everyone:
> > > > > I'm trying to get SOCKS5 working on my firewall machine so the
other machines on my LAN can access the internet. I've downloaded,
> > > > > compiled, and installed SOCKS5 from the NEC website; it appears to
start OK. I also downloaded SOCKSCAP from NEC and put it on one of
> > > > > my Windows machines. I added Explorer to the list of SocksCap
clients and attempted to start it. But no matter how closely I follow
> > > > > the instructions, the authentification fails and kicks me out! I
ran socks5 in debug mode, and here's some of the output: As you can
> > > > > see, it seems to be working OK until it gets that mysterious error
"Incompatible Version Number 71."
> > > > > Any ideas on what I might be doing wrong?
> ________________________________________________
> See http://PLUG.phoenix.az.us/navigator-mail.shtml if your mail doesn't
post to the list quickly and you use Netscape to write mail.
>
> PLUG-discuss mailing list - PLUG-discuss@lists.PLUG.phoenix.az.us
> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
>