LINUXCOVERSYSADMIN USERSTORY SchlagwortSchlagwortSocks v5 sollte sollte hier hier stehen stehen Schlagwort sollte hier stehen COVER STORY Examining the generic Socks version 5 proxy protocol SOCKS FOR PROXY Socks is a universal proxy protocol for TCP and UDP that allows internal hosts to securely pass the firewall and authenticates users. This article describes the latest version of the Socks proxy protocol and shows how to implement it. BY THOMAS KUHN AND ACHIM LEITNER any firewall admins allow known as a Socks server) authenticates nection uses port 1080 by default. The direct access to the Web from the client and authorizes the client for client sends a Negotiation packet sug- Mthe internal network but are access, sets up the connection to the tar- gesting a few authentication methods more restrictive with other services such get server, and transparently forwards (number in NMETHODS and methods in as FTP or SMTP. They rightfully argue any data sent or received. METHODS). that filter rules that allow a minimum of If the proxy accepts the request (step 2 services and ports are easier to track and Intermediate in Figure 2), it uses a Server Negotiation manage. Application Level Gateways Normally, client applications need to packet to tell the client its preferred (ALGs) provide even more granular con- have integrated Socks support to be able authentication method (METHODS with trol and are typically implemented as to use the proxy, as Socks does affect the exactly one entry). The proxy then pro- proxies (Figure 1a). However, the appli- way protocols interact. However, a wrap- ceeds to authenticate the client (step 3). cation firewall needs a proxy for each per can add Socks support to binaries The exact procedure at this step depends service. using LD_PRELOAD technology. To do on the selected method. The Socks protocol [2] (RFC 1928, Fig- this, the wrapper implements a custom- The client then sends a request to the ure 1b) treads a path between the state- ized socket library. proxy stating which service it requires ful packet filter and the ALG. Socks is The name Socks is derived from (target address DST.ADDR and target implemented in the Dante package [1], Socket, the original working title was port DST.PORT). The Socks proxy evalu- for example. The generic Socks proxy SOCK-et-S. There are two main versions: ates the request, based on the client ID technology leaves the firewall in control Socks v4 and v5. Both protocols insert and the target address, taking an access of applications, separating networks in themselves into the OSI model between control list into consideration in a style the Transport Layer and giving clients a the Transport and Application layers. typical of firewalls. If the client is fixed request port (typically 1080). Version 4 is restricted to handling con- not allowed the type of Clients formulate Socks nection requests, honoring Proxy rules, access it has requested, requests, specifying target and forwarding application data. It does the Socks proxy servers and services not provide any kind of authentication drops the con- (such as HTTP, and is restricted to TCP. Socks v5 adds nection to SMTP, or FTP). robust authentication mechanisms and the client. The Socks extends support to UDP. proxy (also Roundabout Route In a typical Socks scenario, the client might want to access the HTTP service provided by a server on an external net- work. The procedure is shown in Figure 2, the data format in Figure 3, and the field contents are shown in Table 1. The client starts by opening a TCP connection to the Socks proxy (1); the con- www.sxc.hu 62 ISSUE 56 JULY 2005 WWW.LINUX - MAGAZINE.COM Schlagwort sollte hierSocks stehen v5 COVERSYSADMIN STORY request. The client then uses a Bind request within a second connection to SMTP Configuration S1 ask the Socks proxy to open a port for C1 FTP the incoming data connection. Configuration S2 S3 The proxy sends two replies in IRQ Configuration C2 response. The first contains the port and S4 DNS Configuration address at which the Socks server will Intranet Internet Application Level Gateway listen for the incoming connection. The proxy does not send the second reply Figure 1a: If the firewall is implemented as an application level gateway, it separates the inter- until the target server opens a connec- nal and external networks at application level. However, it then needs a proxy for each proto- tion. When this happens, the proxy’s col. reply contains the source address and source port the target machine used to open a connection to it. Finally, the S1 Port 1080 proxy forwards the data from the exter- C1 nal server to the internal client. S2 If you want Socks to act as a UDP S3 proxy, the client first needs to use TCP to C2 S4 contact the proxy and authenticate (Fig- Configuration Intranet Internet ure 4). The CMD it stipulates in this case Socks Proxy is the third value in Table 1: UDP Associ- Figure 1b: In contrast to an ALG, Socks assumes the role of a generic proxy, accepting s con- ate. As the client will actually be using nections for any application protocols on port 1080, authenticating clients, and authorizing UDP to transmit data later on, it needs to transfers. tell the proxy where these packets will be coming from. To do so, the client In any other case, it replies with one or nection from a target server. This sce- adds its own address and port to the multiple server reply packets. nario might seem back-to-front, but it is DST.ADDR and DST.PORT fields. quite normal in the case of the FTP pro- The proxy then opens an internal UDP Addressed tocol in active mode. With FTP, and fol- relay port, allowing the client to send Socks requests and replies can contain lowing best client-server traditions, the packets to the outside world. The client different types of addresses. The proto- client first establishes a connection to reads the address and port for the relay col supports IPv4 and IPv6 addresses, the FTP server; this is known as the con- from the server’s reply to the UDP Asso- along with domain names. The latter trol connection. Whenever a file needs ciate request: BND.PORT and BND. removes the need for the client to per- to be transferred, the server establishes a ADDR. And this is where the client has form a DNS lookup, and the internal net- data connection back to the client. Prior to send any UDP packets destined for the work does not need to resolve external to this, the client needs to tell the server external network. The client wraps its DNS names. which address and port the server own UDP packets in a UDP Request Depending on the client request type, should use. Again, this information is (Figure 3 bottom). The UDP Relay stays that is, depending on the value of CMD sent across the control channel. open for as long as the client keeps the (Figure 2 and Table 1), the address authenticated TCP connection up. details in the Socks server reply have a Upside-Down World different significance. A reply to a CON- Socks can selectively allow this type of Authentic NECT request contains the BND.PORT connection into the internal network. The authentication method can also pro- and BND.ADDR, that is the address at The client opens the control channel to vide trust and integrity between the cli- which the proxy has connected the tar- the server by sending a normal Connect ent and the proxy. The authentication get server. The BND.ADDR address is typically 1. Client Negotiation 6. Server Request not identical to the Socks server address, 2. Server Negotiation Socks Port Bind Port to which the client sent the original 3. Authentication Protocol 1080 7. Server Response request. This constellation, which is 4. Client Request referred to as a multi-homed Socks 5. Server Reply server, is typical of a Socks firewall that 8. Data 8. Data connects two networks. After a success- Client Server ful Connect command, the client and Configuration target server can communicate transpar- Intranet Internet Socks Proxy ently through the proxy; Socks simply forwards any data. Figure 2: When establishing a Socks v5 connection, the client starts by sending a negotiation The client sends a BIND request to packet to the Socks proxy (1). The client authenticates (3); the proxy then establishes the indicate that it expects an incoming con- connection to the target server (6) and forwards data (8). WWW.LINUX - MAGAZINE.COM ISSUE 56 JULY 2005 63 COVERSYSADMIN STORY SchlagwortSocks v5 sollte hier stehen Schlagwort sollte hier stehen COVER STORY Dante is developed by a Norwegian con- Client Negotiation VER NMETHOD METHODS sultancy called Inferno Nettverk A/ S, Client Socks- 1 1 1-255 Server who also have commercial modules for Server Negotiation bandwidth control and port/ forwarding VER METHODS Client Socks- Server 1 1 monitoring. Client Request This said, the free version is typically VER CMD RSVATYP DST.ADDR DST.PORT Client Socks- variable 2 fine for most tasks. Besides providing Server 1 1 1 1 Socks and MSproxy services, it can also Server Reply VER REP RSV ATYP BND.ADDR BND.PORT act as a HTTP proxy, authenticate users Client Socks- variable 2 Server 1 1 1 1 based on usernames and passwords, or UDP-Request via Pluggable Authentication Module. RSV FRAGATYP DST.ADDR DST.PORT DATA Client Socks- 2 1 1 variable 2 variable Server Support for interface names in the con- figuration file allows it to support DHCP. Figure 3: Socks version 5 uses five packet types: Client Negotiation, Server Negotiation, Client Request, Server Reply, and UDP Request.