[an error occurred while processing this directive] Red Hat Linux Bible [an error occurred while processing this directive]

Red Hat Linux Bible: Fedora and Enterprise Edition

Christopher Negus

Configuring Red Hat Linux as a Proxy Firewall

Red Hat Linux can act as a filtering firewall. With the addition of the socks5 package, Linux can be made to act as a proxy firewall as well. An RPM version of socks5 is available from ftp://ftp.redhat.com/pub/contrib/libc6/i386. Download the socks5 package; then install it as you do any RPM package. With the socks5 package installed in the current directory, type the following at the command line:

# rpm -i socks5*

The program that actually understands the socks protocol and handles the proxy service is the socks5 daemon. Before you use it, however, you must create a socks5.conf file in the /etc directory. Socks5 looks at the /etc/socks5.conf file to learn what protocols and services it can proxy and which computers are enabled to use the proxy service.

Creating the socks5.conf file

The socks5.conf file is divided into six sections. Each section controls a specific aspect of how the socks5 daemon handles a particular connection. After a client computer connects to the proxy server, socks5 sequentially searches through each line of each section and determines what action to take based on the rules that it encounters. It stops if it finds a rule line that matches the connection being processed, so the order of rules is important. The Access Control section is the section that you are likely to use the most.

First, you need to examine some of the syntax that is common to all sections. Each line within any section consists of a keyword followed by several user-definable parameters. The keyword determines what section that line belongs in and what its function is. The parameters tell socks5 such useful things as the source and destination addresses to permit or deny proxy services, what protocols or service ports to permit, and what authentication type to use.

Host-address notation

A host address can be a complete host name or IP address, such as ratbert.glaci.com or 199.170.177.18. It can also be partial, such as .glaci.com or the 199.170.177. IP address. Notice that the partial host name begins with a dot (.) character. This enables socks5 to recognize it as a partial host name and use it to match any host in the glaci.com domain. Similarly, the partial IP address ends with a dot (.) character, enabling socks5 to recognize it as a partial address. It matches any IP address in the 199.170.177.0 subnet.

You may recognize this as the same notation used in the hosts.allow and hosts.deny files that are used by the tcpd daemon. Socks5 does one thing differently, however. Instead of using the keyword ALL as a wildcard to match all hosts, it uses the dash (-) character.

Service port notation

A port can be specified by using the service name as listed in the /etc/services file (such as http or telnet), or the corresponding integer number can be used (such as 80 or 23). For both the source-host and source-port entries, a dash (-) character can be used to match any host or port.

The ban host section

The ban host section is used to deny proxy services to specific hosts and protocols. A ban host line always starts with the keyword ban followed by the source-host parameters and a source-port parameter, as follows:

ban source-host source-port

The source-host designates the host name or IP address that the connection is coming from. The source-port designates the service port number that the connecting system is requesting. Table 1 lists examples of valid ban host lines.



Table 1 Valid ban host lines
Valid ban Host Lines Description
ban ratbert.glaci.com http The host ratbert is not allowed to access the Web server on this system.
ban .glaci.com 1880 No host in the glaci.com domain is allowed access to port 1880 on this system.
ban 199.170.177.22 ptelnet The host 199.170.177.22 is not allowed to access the proxy telnet service in this system.
ban 199.170.176. - No hosts on the 199.170.176.x subnet can access any proxy service on this system.
ban - - No host anywhere is allowed to access any proxy service on this system.

The authentication section

An authentication line tells socks5 how it should authenticate connections from a particular host for a particular service. The line always begins with the auth keyword followed by the source-host, source-port, and the type of authentication to use, as follows:

auth source-host source-port auth-methods

Valid auth methods include username/password, Kerberos, any, or none. A single letter (u, k, -, or n) is used to indicate each authentication type, as follows:

  • u — Username/Password
  • k — Kerberos 5
  • - — Any authentication method
  • n — No authentication

The auth-method parameter can be a single authentication type or a comma-separated list of types. If you specify multiple types, socks5 checks them in reverse order so that the last one in the list is the preferred type.

Omitting the authentication section results in any authentication method being allowed for all permitted connections. This is appropriate if you are primarily using socks5 for outgoing proxy services (from your network to the Internet) and thus are permitting or denying connections based on the address and port. This is the most common way of configuring a proxy server.

The interfaces section

The interfaces section is used only if your Linux system is dual-homed, which means that it has more than one network interface. This is usually the case if your Linux system is also acting as a filtering firewall (not just a proxy) or as a router. The interface section enables you to specify different rules for how connections are handled on different interfaces.

The variables and flags section

The variables and flags section is used to adjust the level of logging and debug messages that socks5 generates. Entries in this section always begin with the set keyword followed by the variable being set and the value it is being set to, as shown here:

set variable value

Generally, the default settings are sufficient. Read the Environment section of the socks5 online manual page (by using the man socks5 command) to learn more about setting variables and flags.

The proxies section

Use the proxy section to tell socks5 how and when to relay a connection to another proxy server. This is not a common occurrence in normal Internet usage, but you may have situations on your intranet where this would be useful.

The access-control section

This is probably the most used section of the socks5.conf file. The access-control section is used to permit or deny proxy connections based on the host address or port number of either the source or destination machine. An access-control line always starts with either the keyword permit or the keyword deny. Six required parameters and an optional seventh parameter follow the keyword, as follows:

permit auth cmd src-host dest-host src-port dest-port [user-list]
deny auth cmd src-host dest-host src-port dest-port [user-list]

After a client computer connects to the proxy server, socks5 scans through the list of access-control lines until it finds one that matches the incoming connection. If even a single parameter on a line does not match the connection, that line is not considered a match, and socks5 continues to the next line. If no matching lines are found, socks5 denies the connection. If a match is found, socks5 looks at the keyword for that line and permits or denies the connection, as appropriate.

The auth parameter is used to describe the authentication methods allowed for the connection.

The cmd parameter is used to tell socks5 what sort of actions can be performed on a particular connection. The allowed values are as follows:

  • c — Connect
  • b — Bind
  • u — UDP
  • p — Ping
  • t — Traceroute
  • - — All Commands
The src-host parameter matches the host name or IP address of the connecting machine, while the dest-host parameter matches the host name or address of the machine it is trying to connect to. Similarly, the src-port matches the service port number that the client machine is connecting to, and the dest-port matches the port number that the proxy server is redirecting the connection to.
The user-list is an optional parameter that can limit the connection to only the specified users. It is a comma-separated list of user names with no spaces.
As you can see, many of the capabilities of the other sections are also available in the access section. Having a socks5.conf file that contains only permit and deny access lines is not uncommon. Following is an example of a socks5.conf file in which each permit or deny line is preceded by a comment that explains its function:
# Sample socks5.conf file
# Allow hosts in the 199.170.177.x subnet to access
# the web (http protocol) through proxy port 1880
permit - - 199.170.177. - 1880 http
# Allow any host within the glaci.com domain to
# connect to the proxy telnet service. Require
# user/password authentication to access it.
permit u c .glaci.com - ptelnet telnet

# Deny all other connections
deny - - - - - -

You can find additional socks5.conf examples in the examples directory within the main socks directory. The man page for socks5.conf also has additional useful information.

Starting socks5 services

If you install the socks5 RPM, your Red Hat Linux system is automatically set up to start the socks5 service. After your system boots, the /etc/init.d/socks5 script is run from the appropriate run-level directory (for system states 3, 4, and 5). If you want to start the service immediately, type the following as root user:

# /etc/init.d/socks5 start

This results in socks5 daemons running on your computer to handle incoming requests for proxy service.




Cover

ISBN 0-7645-4333-4

Wiley Technology Publishing
Timely. Practical. Reliable.

[ Home ] [ Crack ] [ Tripwire ] [ Chage ] [ "r" Commands ] [ X ] [ linuxconf ] [ PLIP ] [ Proxy firewall ]