transparent SOCKS proxy

How can I configure my router to route traffic from LAN to the Internet
through a SOCKS5 proxy?
Any link to further documentation on that would be helpful, too.

Thanks,
Tobi

Tobias Wagner wrote:
> How can I configure my router to route traffic from LAN to the Internet
> through a SOCKS5 proxy?
> Any link to further documentation on that would be helpful, too.

You can use sockified applications to use the socks proxy, or you
can use the sockify program to use applications that can't handle
the protocol.

> Thanks,
> Tobi

Regards.

--

Jose Maria Lopez Hernandez
Director Tecnico de bgSEC
(E-Mail Removed)
bgSEC Seguridad y Consultoria de Sistemas Informaticos
http://www.bgsec.com
ESPAÑA

The only people for me are the mad ones -- the ones who are mad to live,
mad to talk, mad to be saved, desirous of everything at the same time,
the ones who never yawn or say a commonplace thing, but burn, burn, burn
like fabulous yellow Roman candles.
-- Jack Kerouac, "On the Road"

Jose Maria Lopez Hernandez schrieb:
> Tobias Wagner wrote:
>
>> How can I configure my router to route traffic from LAN to the
>> Internet through a SOCKS5 proxy?
>> Any link to further documentation on that would be helpful, too.
>
>
> You can use sockified applications to use the socks proxy,

No I can't. I have no access to the clients. I only have access to the
_router_.

> or you can use the sockify program to use applications that can't
> handle the protocol.

That's a client based solution, too.

I need a router based (transparent for the clients) solution.
Obvisouly I need to fiddle around with netfilter, but don't know how.

Cheers,
Tobi

"Tobias Wagner" <(E-Mail Removed)> wrote in message
news:d097n9$4am$(E-Mail Removed)...
> Jose Maria Lopez Hernandez schrieb:
>> Tobias Wagner wrote:
>>
>>> How can I configure my router to route traffic from LAN to the Internet
>>> through a SOCKS5 proxy?
>>> Any link to further documentation on that would be helpful, too.
>>
>>
>> You can use sockified applications to use the socks proxy,
>
> No I can't. I have no access to the clients. I only have access to the
> _router_.
>
> > or you can use the sockify program to use applications that can't
> > handle the protocol.
>
> That's a client based solution, too.
>
> I need a router based (transparent for the clients) solution.
> Obvisouly I need to fiddle around with netfilter, but don't know how.

It's fundamentally impossible. Suppose a client starts listening for UDP
packets on port 4201. How would the router know to tell the socks proxy to
start listening on that port?

DS

David Schwartz schrieb:
> It's fundamentally impossible. Suppose a client starts listening for UDP
> packets on port 4201. How would the router know to tell the socks proxy to
> start listening on that port?

The router is configured as a firewall, so if a client listens on a
port, clients inside the firewall can connect, from outside they can't.
That's how it should be.

I only want the router to forward outgoing traffic through a SOCKS
proxy, without the clients knowing anything of the proxy. That's how
transparent http proxies work, too...

Cheers,
Tobi

"Tobias Wagner" <(E-Mail Removed)> wrote in message
news:d09jv3$clh$(E-Mail Removed)...

> David Schwartz schrieb:

>> It's fundamentally impossible. Suppose a client starts listening for
>> UDP packets on port 4201. How would the router know to tell the socks
>> proxy to start listening on that port?

> The router is configured as a firewall, so if a client listens on a port,
> clients inside the firewall can connect, from outside they can't. That's
> how it should be.

You realize that this causes lots of protocols to break Some forms of
FTP are broken by this. File sharing protocols are broken by this.

> I only want the router to forward outgoing traffic through a SOCKS proxy,
> without the clients knowing anything of the proxy. That's how transparent
> http proxies work, too...

Then just set the firewall up as a NAT box and configure it to use the
socks proxy.

DS

David Schwartz wrote:
> Then just set the firewall up as a NAT box and configure it to use the
> socks proxy.

I don't think that could work, because the socks proxy can't act
like the squid transparent proxy acts. So you need sockified
applications if you want to use SOCKS.

> DS

Regards.

--

Jose Maria Lopez Hernandez
Director Tecnico de bgSEC
(E-Mail Removed)
bgSEC Seguridad y Consultoria de Sistemas Informaticos
http://www.bgsec.com
ESPAÑA

The only people for me are the mad ones -- the ones who are mad to live,
mad to talk, mad to be saved, desirous of everything at the same time,
the ones who never yawn or say a commonplace thing, but burn, burn, burn
like fabulous yellow Roman candles.
-- Jack Kerouac, "On the Road"

"Jose Maria Lopez Hernandez" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...

> David Schwartz wrote:

>> Then just set the firewall up as a NAT box and configure it to use
>> the socks proxy.

> I don't think that could work, because the socks proxy can't act
> like the squid transparent proxy acts. So you need sockified
> applications if you want to use SOCKS.

The only application in this case is NAT.

DS

David Schwartz schrieb:
>>I only want the router to forward outgoing traffic through a SOCKS proxy,
>>without the clients knowing anything of the proxy. That's how transparent
>>http proxies work, too...
>
>
> Then just set the firewall up as a NAT box and configure it to use the
> socks proxy.

That is exactly what I want to know. How is this done?
The NAT box should talk with the socks proxy, completely transparent to
the clients...

Cheers,
Tobi

"Tobias Wagner" <(E-Mail Removed)> wrote in message
news:d09p6b$g4i$(E-Mail Removed)...

>> Then just set the firewall up as a NAT box and configure it to use
>> the socks proxy.

> That is exactly what I want to know. How is this done?
> The NAT box should talk with the socks proxy, completely transparent to
> the clients...

On the firewall, you run NAT, and you redirect the NATed packets to a
socks *client* program. Be careful not to route your own outbound/inbound
socks traffic into the NAT, which would create an infinite loop.

In sum:

Client machine <-> NAT <-> socks client <-> socks server <-> Internet

So packets received from client machines bound for internet sites must
be redirected to the socks client program. Packets to the socks server must
not be sent to the socks client. Packets from the socks client must be sent
to the socks server, not NATed!

DS