"The Linux Gazette...making Linux just a little more fun!"


(?) The Answer Guy (!)


By James T. Dennis, answerguy@ssc.com
LinuxCare, http://www.linuxcare.com/


(?) Linux Workstations Behind a Proxy/Firewall

From anil kumar on Mon, 11 Oct 1999

Hi Jim,

This is Anil from India.I saw your letter in the red hat site & wanted some details on how to access the internet from my Linux box. I dual boot it with my NT.Now,I am behind a Proxy(MS Proxy & firewall)& my Ip address has been given permission to access the internet.I access it in the usual way from NT but when i boot thro' Linux, I dont get any option to configure the Proxy server.Does the name resolution request go to the DNS configured in our local network first & from there upon not resolving to the next higher level that is, the local ISP DNS ?But i have configured my Linux box for the DNS.Now how do i configure my Linux to access the net?.I would appreciate if you would throw some light on it.

Thanx in advance, Anil.

(!) You're probably expected to use SOCKS clients. Most proxying firewalls conform to the NEC SOCKS proxy traversal protocol (a standard way for client programs to contact a proxy and request a service).
The normal Linux client software (telnet, ftp, etc) are not "SOCKSified" (linked to library functions which check for proxying). So you want to install the socks-clients RPM package.
You can find a copy of that at:
socks5-clients-1.0r6-1.i386 RPM
http://rufus.w3.org/linux/RPM/turbolinux/3.0/RPMS/socks5-clients-1.0r6-1.i386.html
It will replace most of your network client software utilities. You'll then have to edit the /etc/libsocks5.conf. One of mine looks like:
socks5          -       -       -            -          192.168.1.5
noproxy         -       192.168.1.           -
noproxy         -       123.45.67.0/255.255.255.240          -
Creating this file is the hardest part of using the SOCKS client RPM. You have to put in your SOCKS proxy server at the end that first line. That's an IP address. Then you can put into IP address patterns on your noproxy line(s). I have set a noproxy for one RFC1918 address block, and one (sanitized) "real" address block with a netmask. This would be a typical arrangement if there where a block of servers on our DMZ (Internet exposed network segment) that were directly accessible from my station. In many other cases you wouldn't have that 3rd line, you'd go through the proxy to get to your DMZ, too.
The programs provided by this RPM will all read the /etc/lib5socks.conf file automatically. There is also a shared library which can be used to "socksify" many "normal" TCP programs. In particular, under Linux it's possible to over-ride the normal shared library (DLL) loading sequence, forcing a program to preload (LD_PRELOAD_PATH) a custom dynamical library. Thus with a short wrapper script (described in the documentation of this package) it's possible to redefine how a program implements some library calls without recompiling the package.
Of course these libraries can also be used explicitly (by linking programs to them). This obviates the need for LD_PRELOAD_PATH shenanigans. Personally I haven't used this "socksify" technique.
Some programs (like ncftp) might have to be replaced separately. In some cases you'll have to fetch the sources and compile programs with non-default options. In other cases, like Netscape Navigator, you'll want to just configure them (under Navigator and Communicator look for "Edit, Preferences, Advanced, Proxying" and fill in the dialog box).
Some software and some protocols will not work through SOCKS proxying or will have to be patched to do so. (Some of the Pointcast, RealAudio, CU-See-Me, and other protocols don't support SOCKS, or require proprietary proxying packages in order to traverse your firewall).
The canonical site for information about SOCKS is:
SOCKS Proxy Protocol
http://www.socks.nec.com
In particular you'll want to read the Socks FAQ (http://www.socks.nec.com/socksfaq.html)
You probably don't need a SOCKS server (you've already got one) you just need the client software for there protocols you plan to use through this firewall).
However, I provide pointers to some server software for other readers. You can download NEC's SOCKS software for Linux (in source form) from the web site listed above. However, you'll want to read the license on that before using or distributing it.
In addition to the NEC SOCKS implementation, Linux supports a couple of alternative SOCKS servers (NEC's SOCKS is not under GPL or BSD and it's not fully "free" software).
One that I've used is DeleGate (http://wall.etl.go.jp/delegate/) Another that I've read about but never used is Dante (http://www.inet.no/dante/). DeleGate and Danta are free under the BSD license.
One thing I like about DeleGate in particular is that it's possible to manually traverse it. In other words, if you have a favorite ftp or telnet client that doesn't know how to talk the SOCKS protocol, you can manually connect to DeleGate, type some magic commands at it, and it will then open up the same sort of connection that the SOCKsified client would have. (This is like the FWTK and other manually traversed proxy systems).
There are a number of other firewall and proxying packages available for Linux.


Copyright © 1999, James T. Dennis
Published in The Linux Gazette Issue 48 December 1999
HTML transformation by Heather Stern of Starshine Technical Services, http://www.starshine.org/


[ Answer Guy Current Index ] [ Index of Past Answers ] greetings 1 2 3 5
5 6 7 8 9
10 11 12 13 14 15 16 17 18
19 20 21 22 23 24 25 26 27
28 29 30 31 32 33 34 35 36
37 38 39 40 41 42 43 44 45
46 47 48 49 50 51 52 53 54
55 56 57


[ Table Of Contents ] [ Front Page ] [ Previous Section ] [ Linux Gazette FAQ ] [ Next Section ]