Chapter 9   Using SOCKS v5


This chapter explains how to configure and use the SOCKS v5 server that comes with iPlanet Web Proxy Server.

Using a SOCKS Server

---

The SOCKS server is a generic firewall daemon that controls access through the firewall on a point-to-point basis. The SOCKS server works at the network level instead of the application level, and therefore has no knowledge of protocols or methods used for transferring requests. Because the SOCKS server has no knowledge of protocols, it can be used to pass those protocols which are not supported by the proxy server, such as telnet. iPlanet Web Proxy Server supports SOCKS versions 4 and 5.

iPlanet Web Proxy Server comes with a separate SOCKS daemon that understands the usual socks5.conf file format used by other SOCKS daemons. See "The socks5.conf File" on page 373 for information on this file format. By default, the SOCKS daemon features are disabled, but you can enable them through the SOCKS On/Off form.

You can also use the Routing Configuration form to configure your proxy to route requests through a SOCKS server. For more information on routing requests through a SOCKS server, see Routing Through a SOCKS Server.

To use the SOCKS server,

1. Configure SOCKS v5.

2. If SOCKS v5 will be running on a machine with multiple interfaces, create SOCKS routing entries

3. Create authentication entries.

4. Create connection entries.

5. Enable the SOCKS server.

Configuring SOCKS v5

To configure your SOCKS server,

1. From the Server Manager, choose SOCKS|Configuration. The SOCKS v5 Configuration form appears.

2. In the SOCKS Port field, enter the port number on which the SOCKS server will listen.

3. Choose the checkbox for the SOCKS options you want to use.

   The options are:

   • disable reverse DNS lookup - disables reverse DNS lookup for your SOCKS server. Reverse DNS translates IP addresses into host names. Disabling this feature can conserve network resources.

   • use client-specific bind port - allows the client to specify the port in a BIND request. With this option disabled, SOCKS ignores the client's requested port and assigns a random port.

   • allow wildcard as bind IP address - allows the client to specify an IP address of all zeros (0.0.0.0) in a BIND request. An IP address of all zeros means that any IP address can connect. With this option disabled, the client must specify the IP address that will be connecting to the bind port and the SOCKS server rejects requests to bind to 0.0.0.0.

4. In the Log File field, enter the full pathname of the SOCKS log file.

5. From the Log Level pull-down, choose whether you want the log file to contain warnings and errors only, all requests, or debugging messages.

6. If you want to disable the automatic logging general SOCKS statistics once an hour, select the "quench updates" checkbox.

7. Select the radio button to choose an RFC 1413 Ident Policy. Ident allows the SOCKS server to determine the user name for a client. Generally, this feature only works when the client is running Unix. The available policies are:
   • don't ask - never use Ident to determine the user name for a client. This is the recommended setting.

   • ask but don't require - ask for the user name of all clients, but do not require it. This option uses Ident for logging purposes only.

   • require - ask for the user name of all clients and only permit access to those with valid responses.

8. Click OK.

Creating SOCKS v5 Authentication Entries

SOCKS authentication entries identify the hosts from which the SOCKS deamon should accept connections and which types of authentication the SOCKS daemon should use to authenticate these hosts.

To create a SOCKS authentication entry,

1. From the Server Manager, choose SOCKS|Authentication. The SOCKS v5 Authentication Entry form appears.

2. Click the Add button. The SOCKS v5 Authentication Entry form appears.

3. In the Host mask field, enter the IP addresses or host names of the hosts that the SOCKS server will authenticate. If you enter an IP address, follow the address with a forward slash and the mask to be applied to the incoming IP address. The SOCKS server will apply this mask to the IP address to determine if it is a valid host. There cannot be any spaces in the Host mask entry. If you do not enter a host mask, the authentication entry will apply to all hosts.

   For example, you can enter "155.25.0.0/255.255.0.0" into the Host mask field. If the host's IP address is 155.25.3.5, the SOCKS server will apply the mask to the IP address and determine that the host's IP address matches the IP address for which the authentication record applies (155.25.0.0).

4. In the Port range field, enter the ports on the host machines that the SOCKS server will authenticate. There should not be any spaces in your port range. If you do not enter a port range, the authentication entry will apply to all ports.

   You can use brackets [ ] to include the ports at each end of the range or parentheses ( ) to exclude them. For example [1000-1010] means all port numbers between and including 1000 and 1010. (1000-1010) means all port numbers between, but not including 1000 and 1010. You can also mix brackets and parentheses. For instance, (1000-1010] means all numbers between 1000 and 1010, excluding 1000, but including 1010.

5. From the Authentication type pull-down, choose one of the following:
   • require user password - user name and password are required to access the SOCKS server

   • user-password if available - if a user name and password are available, they should be used to access the SOCKS server; but they are not required for access

   • ban - banned from the SOCKS server

   • none - no authentication is required to access the SOCKS server

6. From the "Insert" pull-down, select the position in the socks5.conf file that you want the authentication entry to be in. Because you can have multiple authentication methods, you need to specify the order in which they are evaluated. Therefore, if the client does not support the first authentication method listed, the second method will be used instead. If the client does not support any of the authentication methods listed, the SOCKS server will disconnect without accepting a request.

7. Click OK.

Editing SOCKS v5 Authentication Entries

To edit a SOCKS v5 authentication entry,

1. From the Server Manager, choose SOCKS|Authentication. The SOCKS v5 Authentication Entry form appears.

2. Select the radio button next to the authentication entry that you want to edit.

3. Click the Edit button. The SOCKS v5 Authentication Entry form appears.

4. Edit the appropriate information.

5. Click OK.

Deleting SOCKS v5 Authentication Entries

To delete a SOCKS v5 authentication entry,

1. From the Server Manager, choose SOCKS|Authentication. The SOCKS v5 Authentication Entry form appears.

2. Select the radio button next to the authentication entry that you want to delete.

3. Click the Delete button.

4. Click OK.

Moving SOCKS v5 Authentication Entries

Because you can have multiple authentication methods, the entries are evaluated in the order in which they appear in the socks5.conf file. You may want to change the order in which they are evaluated by moving them.

To move authentication entries,

1. From the Server Manager, choose SOCKS|Authentication.

   The SOCKS v5 Authentication form appears.

2. Select the radio button next to the authentication entry that you want to edit.

3. Click the Move button.

   The SOCKS v5 Move Entry form appears.

4. From the Move pull-down, choose the position in the socks5.conf file that you want the authentication entry to be in. Because you can have multiple authentication methods, you need to specify the order in which they are evaluated.

5. Click OK.

Creating SOCKS v5 Connection Entries

SOCKS connection entries specify whether the SOCKS daemon should permit or deny a request.

1. From the Server Manager, choose SOCKS|Connections. The SOCKS v5 Connections form appears.

2. Click the Add button. The SOCKS v5 Connection Entry form appears.

3. From the Authentication Type pull-down, choose the authentication method for which this access control line applies.

4. From the Connection Type pull-down, choose the type of command the line matches. Possible command types are:
   • connect

   • bind (open a listen socket)

   • UDP relay

   • all

5. In the Source host mask field, enter the IP address or host names of the hosts for which the connection control entry applies. If you enter an IP address, follow it with a forward slash and the mask to be applied to the source's IP address. The SOCKS server will apply this mask to the source's IP address to determine if it is a valid host. There cannot be any spaces in the host mask entry. If you do not enter a host mask, the connection entry will apply to all hosts.

   For example, you can enter "155.25.0.0/255.255.0.0" into the host mask field. If the host's IP address is 155.25.3.5, the SOCKS server will apply the mask to the IP address and determine that the host's IP address matches the IP address for which the connection control entry applies (155.25.0.0).

6. In the Port range field, enter the ports on the source machines for which the connection control entry applies. There should not be any spaces in your port range. If you do not specify a port range, the connection entry will apply to all ports.

   You can use brackets [ ] to include the ports at each end of the range or parentheses ( ) to exclude them. For example [1000-1010] means all port numbers between and including 1000 and 1010. (1000-1010) means all port numbers between, but not including 1000 and 1010. You can also mix brackets and parentheses. For instance, (1000-1010] means all numbers between 1000 and 1010, excluding 1000, but including 1010.

7. In the Destination host mask field, enter the IP address or host name for which the connection entry applies. If you enter an IP address, follow it with a forward slash and the mask to be applied to the incoming IP address. The SOCKS server will apply this mask to the IP address of the destination machine to determine if it is a valid destination host. There cannot be any spaces in the host mask entry. If you do not enter a destination host mask, the connection entry applies to all hosts.

   For example, you can enter "155.25.0.0/255.255.0.0" into the Destination host mask field. If the destination host's IP address is 155.25.3.5, the SOCKS server will apply the mask to the IP address and determine that the destination host's IP address matches the IP address for which the proxy entry applies (155.25.0.0).

8. In the second Port range field, enter the ports on the destination host machines for which the connection control entry applies. There should not be any spaces in your port range. If you do not enter a port range, the connection entry applies to all ports.

   
   

   ---

   Note	Most SOCKS applications will request port 0 for bind requests, meaning they have no port preference. Therefore, the destination port range for bind should always include port 0.

   ---

   
   

   You can use brackets [ ] to include the ports at each enge of the range or parentheses ( ) to exclude them. For example [1000-1010] means all port numbers between and including 1000 and 1010. (1000-1010) means all port numbers between, but not including 1000 and 1010. You can also mix brackets and parentheses. For instance, (1000-1010] means all numbers between 1000 and 1010, excluding 1000, but including 1010.

9. In the User group field, enter the group to deny or permit access to. If you do not specify a group, the connection entry will apply to all users.

10. From the Action pull-down, choose to permit or deny access for the connection you are creating.

11. From the Insert pull-down, choose the position in the socks5.conf file that you want the connection entry to be in. Because you can have multiple connection directives, you need to specify the order in which they are evaluated.

Editing SOCKS v5 Connection Entries

To edit a SOCKS v5 connection entry,

1. From the Server Manager, choose SOCKS|Connections. The SOCKS v5 Connections form appears.

2. Select the radio button next to the connection entry that you want to edit.

3. Click the Edit button. The SOCKS v5 Connections Entry form appears.

4. Edit the appropriate information.

5. Click OK.

Deleting SOCKS v5 Connection Entries

To delete a SOCKS v5 connection entry,

1. From the Server Manager, choose SOCKS|Connections. The SOCKS v5 Connections form appears.

2. Select the radio button next to the connection entry that you want to delete.

3. Click the Delete button.

4. Click OK.

Moving SOCKS v5 Connection Entries

You may want to change the order of the connection entries in your socks5.conf file. You can do so by moving the connection entries. To move connection entries,

1. From the Server Manager, choose SOCKS|Connections. The SOCKS v5 Connections form appears.

2. Select the radio button next to the connection entry that you want to edit.

3. Click the Move button. The SOCKS v5 Move Entry form appears.

4. From the Move pull-down, choose the position in the socks5.conf file that you want the connection entry to be in.

5. Click OK.

Creating Routing Entries

There are two types of routing entries, the proxy routes and the SOCKS v5 routes. The proxy routes identify the IP addresses that are accessible through another SOCKS server and whether that SOCKS server connects directly to the host. Proxy routes are important when you are routing through a SOCKS server. The SOCKS v5 routes identify which interface the SOCKS deamon should use for particular IP addresses.

Creating SOCKS v5 Routing Entries

To create a SOCKS v5 route,

1. From the Server Manager, choose SOCKS|Routing. The SOCKS v5 Routing form appears.

2. Under the Routing section, click the Add button. The SOCKS v5 Routing Entry form appears.

3. In the Host mask field, enter the IP address or host name for which incoming and outgoing connections must go through the specified interface. If you enter an IP address, follow it with a forward slash and the mask to be applied to the incoming IP address. The SOCKS server will apply this mask to the IP address to determine if it is a valid host. There cannot be any spaces in the host mask entry. If you do not enter a host mask, the SOCKS v5 entry applies to all hosts.

   For example, you can enter "155.25.0.0/255.255.0.0" into the Host/Mask field. If the host's IP address is 155.25.3.5, the SOCKS server will apply the mask to the IP address and determine that the host's IP address matches the IP address for which the routing entry applies (155.25.0.0).

4. In the Port range field, enter the ports for which incoming and outgoing connections must go through the specified interface. Your port range should not have any spaces. If you do not specify a port range, the SOCKS v5 entry applies to all ports.

   You can use brackets [ ] to include the ports at each enge of the range or parentheses ( ) to exclude them. For example [1000-1010] means all port numbers between and including 1000 and 1010. (1000-1010) means all port numbers between, but not including 1000 and 1010. You can also mix brackets and parentheses. For instance, (1000-1010] means all numbers between 1000 and 1010, excluding 1000, but including 1010.

5. In the Interface/Address field, enter IP address or name of the interface through which incoming and outgoing connections must pass.

6. From the Insert pull-down, choose the position of this SOCKS v5 routing entry in your socks5.conf file. Because you can have multiple routing methods, you need to specify the order in which they are evaluated.

Creating Proxy Routing Entries

To create a proxy route,

1. From the Server Manager, choose SOCKS|Routing. The SOCKS v5 Routing form appears.

2. Under the Routing section, click the Add button. The SOCKS v5 Proxy Routing Entry form appears.

3. From the Proxy Type pull-down, choose the type of proxy server you will be routing through. The choices are:
   • SOCKS v5

   • SOCKS v4

   • direct connection

4. In the Destination host mask field, enter the IP address or host name for which the connection entry applies.

   If you enter an IP address, follow it with a forward slash and the mask to be applied to the incoming IP address. The SOCKS server will apply this mask to the IP address of the destination machine to determine if it is a valid destination host. There cannot be any spaces in the host mask entry. If you do not enter a destination host mask, the connection entry applies to all hosts.

   For example, you can enter "155.25.0.0/255.255.0.0" into the Destination host mask field. If the destination host's IP address is 155.25.3.5, the SOCKS server will apply the mask to the IP address and determine that the destination host's IP address matches the IP address for which the proxy entry applies (155.25.0.0).

5. In the Port range filed, enter the ports on the destination host for which the proxy entry applies. Your port range should not have any spaces. If you do not specify a port range, the proxy entry applies to all ports.

   You can use brackets [ ] to include the ports at each end of the range or parentheses ( ) to exclude them. For example [1000-1010] means all port numbers between and including 1000 and 1010. (1000-1010) means all port numbers between, but not including 1000 and 1010. You can also mix brackets and parentheses. For instance, (1000-1010] means all numbers between 1000 and 1010, excluding 1000, but including 1010.

6. In the Proxy Address field, enter the host name or IP address of the proxy server to use.

7. In the Port field, enter the port number on which the proxy server will listen for SOCKS requests.

8. From the Insert pull-down, choose the position of this routing entry in your socks5.conf file. Because you can have multiple routing methods, you need to specify the order in which they are evaluated.

9. Click OK.

Editing Routing Entries

To edit a proxy routing entry or a SOCKS v5 routing entry,

1. From the Server Manager, choose SOCKS|Routing. The SOCKS v5 Routing form appears.

2. Select the radio button next to the routing entry that you want to edit.

3. Click the Edit button.

4. On the form that appears, edit the appropriate information.

5. Click OK.

Deleting Routing Entries

To delete a proxy routing entry or a SOCKS v5 routing entry,

1. From the Server Manager, choose SOCKS|Routing. The SOCKS v5 Routing form appears.

2. Select the radio button next to the routing entry that you want to edit.

3. Click the Delete button.

Moving Routing Entries

You may want to change the order of the routing entries in your socks5.conf file. You can do so by moving the routing entries. To move routing entries,

1. From the Server Manager, choose SOCKS|Routing. The SOCKS v5 Routing form appears.

2. Select the radio button next to the routing entry that you want to move.

3. Click the Move button. The SOCKS v5 Move Entry form appears.

4. From the Move pull-down, choose the position in the socks5.conf file that you want the routing entry to be in. Because you can have multiple routing methods, you need to specify the order in which they are evaluated.

5. Click OK.

Enabling SOCKS

To enable your SOCKS server,

1. From the Server Manager, choose SOCKS|On/Off. The SOCKS On/Off form appears.

2. Click the Server On button.

Authenticating Through a SOCKS Server Chain

---

You can chain SOCKS servers together in the same manner that you chain proxy servers together. In other words, you can have your SOCKS server route through another SOCKS server.

To set up SOCKS server chaining,

1. From the Server Manager, choose SOCKS|Routing. The SOCKS v5 Routing form appears.

2. In the Server Chaining Section, enter your user name and password for authenticating to chained proxy servers.

3. Click OK.