no filtering is done by any box save the Cisco 675 connecting me to the net.
With it acting as a DHCP server/NAT router my windows and unix boxen get a
10.0.0.x address, are given the DNS servers and only try to talk to 10.0.0.1
(the DSL router) to get out on the net. Everything behaves passively. I turn
on my machine and as long as the router has power will serve me up an IP and off
I go on the net. As far as machines on the Net are concerned all my boxes
(about 12) appear to be coming from just one IP address.
The howto's I pointed you to are specifically for IPChains and IPTables, the IP
Masquerading How-to may help, but I think it pertains to the 2.0.x kernels
ipmasqadm filtering program (what IPChains, then IPTables replaced).
The script I included with one of my emails was a very basic, ready to use, but
not absolutely secure ipchains script. Three lines is all it took me to get it
going, then spent time improving it, but have since deleted it as unnecesary
(woulda been lost during a reinstall anyways).
> Thanks for the suggestion. I'll check out the HOWTO you mentioned.
> I'm assuming that in your new situation, any filtering would have tobe done
> on each box, is that correct? So I'm thinking I still might want to do it
> with my firewall, and localize the filtering there. (Besides, my hub's
> full!)
> I am certainly not set on the idea of using SOCKS. I just got the
> erroneous impression that this was the best way to do it. I was checking
> the SOCKS FAQ again on the NEC site, and this time I found my error. It
> said that the error was caused because some client was attempting to use
> SOCKS as an HTTP server. If that's not possible, SOCKS seems to be pretty
> obsolete. On the other hand, if the error was caused because the traffic
> was not routed correctly through the SOCKS client program, the FAQ should
> indicate that. Whoever wrote it is assuming that the reader has a fair bit
> of knowledge already (so why would such an expert be reading the FAQ?) I
> had sent a brief rant on this subject, which got held up for moderator
> approval (because I subscribed under my company alias, so the software
> thinks I'm not a list member.) If the aforementioned rant does get posted,
> keep in mind that I appreciate your help; I was just frustrated because I'd
> wasted so much time on SOCKS. This is not the first time I was led astray
> by imcomplete information and my lack of context. For example, is
> Application X intended for the casual user, serious hacker, or professional
> web site provider? And the website postings may be old enough that a new
> and better method has completely superseded the old one. Maybe what we
> need is a Linux glossary, to translate some of these terms into English for
> the Linux neophyte. How-to references are very valuable, but how do you
> know which how-to you want to achieve a particular goal?
> I've also been told that there's also an "IP Masquerading" how-to that
> my be helpful. Just in case anybody else reading this has a similar
> problem.
>
> Thanks,
> Vaughn Treude
>
> ----- Original Message -----
> From: "Kevin Brown" <kevin_brown@qwest.net>
> To: <plug-discuss@lists.PLUG.phoenix.az.us>
> Sent: Wednesday, July 11, 2001 11:28 PM
> Subject: Re: SOCKS5 problems
>
> > When my DSL got switched to PPP mode I no longer needed the linux box to
> act as
> > the Gateway/Firewall. The external Cisco 675 DSL Router is plugged
> straight
> > into the hub and provides DHCP/NAT services for all the boxen behind it
> (windows
> > and linux). IPChains could be used to pass packets from my internal net
> to the
> > external net when the Router was in Bridging mode. The only thing my
> windows
> > and other linux machines needed to know was to use the IP of the internal
> > interface as the gateway and the DNS IPs to lookup hostnames. No proxy
> client
> > was needed to be set up on any of the machines. IPChains is used to block
> stuff
> > you don't want and to accept/forward stuff you do want.
> >
> > #!/bin/bash
> > # Very Basic ipchains rule for doing Masquerading.
> > # First set the default policy for the forward chain to DENY so your
> machine
> > # can't be used to gain access to your internal net
> > /sbin/ipchains -P forward DENY
> > # Now create the forward chain that will be accepted by IPChains
> > # The ! after the -d says anything NOT destined for my internal network
> > # should be forwarded to the Internet
> > /sbin/ipchains -A forward -i eth0 -d !10.0.0.0/24 -s 10.0.0.0/24 -j MASQ
> > # Set the kernel to allow Masquerading/Forwarding of packets
> > echo 1 > /proc/sys/net/ipv4/ip_forward
> >
> > The above assumes that eth1 is the interface that is connected to your
> internal
> > LAN (other personal machines) and eth0 is the interface connected to the
> outside
> > world.
> >
> > Check out the following How-To for IPChains (2.2.x kernel):
> > http://netfilter.filewatcher.org/ipchains/HOWTO.html
> >
> > And try here for info on IPTables (2.4.x Kernels):
> > http://netfilter.samba.org/unreliable-guides/
> >
> > Hope this information helps, I wasn't shooting down your idea of using
> SOCKS,
> > just asking if you had looked into IPChains/IPTables to see if they
> could've
> > done what you wanted.
> >
> > All the information I've provided may still only be usable with a
> recompile of
> > the kernel. Hopefully the IPChains how-to will have the information
> needed to
> > check if the kernel is setup to do masquerading. By default RedHat's is
> > (hopefully mandrake and debian also enable it by default).
> >
> > "Welcome to the wonderful world of linux. If you can find one way to do
> it, I
> > can show you three more that are neither better nor worse, just
> different."
> > Not true of me, but a nice saying...
> >
> > > Once again the mysterious and somewhat misleading nomenclature of
> Linux modules may have mislead me. I was under the impression that
> > > IPChains existed mainly to filter out the "bad stuff" that hackers may
> send my way. I didn't think of using it to move packets to my other
> > > boxes. I guess it makes sense that I can use IPChains to connect to my
> other Linux box, but what about a Windows box? I know they have SOCKS
> > > clients for Windows, and I also read that Netscape was SOCKS-enabled.
> Also, in my "Linux Firewalls" book (by Ziegler) the only entry they in
> > > the index under "Proxy" was SOCKS. That's why I assumed that SOCKS was
> the way to do it.
> > > Do you mean to say that IPChains no longer worked as a proxy after
> your DSL service changed to PPPoE? That's what I've got, I'm afraid.
> > > Guess I need to read the chapter on IP Chains in my firewall book.
> Still, I'm pretty frustrated because it seems like this SOCKS stuff
> > > ALMOST works. Is there anyone out there that's using it successfully?
> >
> > > > I'm not an expert on Socks, but wouldn't it be easier to implement
> IPchains
> > > > (2.2.x kernels) or whatever the equivalent is in the 2.4.x kernels
> (can't recall
> > > > the package for 2.4). I'm assuming you are trying to route multiple
> boxes
> > > > through a single DSL or dial up connection connected to a linux
> machine. This
> > > > is what I had done here till Qwest (then USWest) switched the DSL
> router from
> > > > bridging to PPP mode and I moved my linux box to just play around with
> (DEC
> > > > Alpha Multia).
> > > >
> > > > > Last week I sent a message detailing my problems getting the SOCKS5
> proxy working on my LAN. I encounter this funny problem regardless
> > > > > of whether I'm trying to connect to the firewall from SocksCap on my
> Windows machine or Netscape on my other Linux box. The message says
> > > > > that the proxy has received
> > > > > a request with an "Incompatible Version Number 71."
> > > > >
> > > > > Now I've done a bit more homework since then. I checked the SOCKS5
> source and discovered that the
> > > > > client was supposed to be sending its SOCKS version (either 4 or 5)
> to the host. It seems unlikely that
> > > > > BOTH Netscape and SocksCap would be perpetrating this identical
> error. So my guess would be that I
> > > > > somehow built Socks5 incorrectly.
> > > > >
> > > > > I reran the build, this time with the "with-threads" option (which I
> should've done the first time) and the install. I then ran the
> > > > > Socks5 daemon in debug mode. The log file no longer included an
> entry about having not been compiled with the threads option, but
> > > > > otherwise the problems were the same. I still had the clients
> > > > > telling SOCKS5 that they were "socks 71" clients.
> > > > >
> > > > > I was wondering if there were any SOCKS gurus out there who could
> help me figure out what I might have done wrong. I'm running Mandrake
> > > > > 7.0 on the firewall (and the client box.) I've reviewed the README
> and INSTALL files and don't see anything about telling the "configure"
> > > > > script that I'm using Linux. The script appears to be smart enough
> to look at all the library, compiler, and linker parameters of the
> > > > > system in question, but that seems like that'd be a pretty difficult
> thing to get right universally. I wonder if there's some kind of
> > > > > "endianness" or other setting I've neglected. (I did check the
> "config.log" file, it complains about not being able to find a certain
> > > > > thread library, but if that's the case, why does the thing compile
> and run?)
> > > > >
> > > > > I've included the previous message for reference. Thanks in advance
> for any help.
> > > > >
> > > > > Vaughn Treude
> > > > >
> > > > > > Hello everyone:
> > > > > > I'm trying to get SOCKS5 working on my firewall machine so the
> other machines on my LAN can access the internet. I've downloaded,
> > > > > > compiled, and installed SOCKS5 from the NEC website; it appears to
> start OK. I also downloaded SOCKSCAP from NEC and put it on one of
> > > > > > my Windows machines. I added Explorer to the list of SocksCap
> clients and attempted to start it. But no matter how closely I follow
> > > > > > the instructions, the authentification fails and kicks me out! I
> ran socks5 in debug mode, and here's some of the output: As you can
> > > > > > see, it seems to be working OK until it gets that mysterious error
> "Incompatible Version Number 71."
> > > > > > Any ideas on what I might be doing wrong?
> > ________________________________________________
> > See http://PLUG.phoenix.az.us/navigator-mail.shtml if your mail doesn't
> post to the list quickly and you use Netscape to write mail.
> >
> > PLUG-discuss mailing list - PLUG-discuss@lists.PLUG.phoenix.az.us
> > http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
> >
>
> ________________________________________________
> See http://PLUG.phoenix.az.us/navigator-mail.shtml if your mail doesn't post to the list quickly and you use Netscape to write mail.
>
> PLUG-discuss mailing list - PLUG-discuss@lists.PLUG.phoenix.az.us
> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss