News Group Posts

Explaining SOCKS vs. NAT

Although you don't often hear about SOCKS any more, it still exists. Aside from specific SOCKS software, ssh with -D will create a SOCKS server. That can sometimes be more convenient than ssh tunnels.

Note that the SSH configuration at the server you are connecting to with -D must have "AllowTcpForwarding yes" in its sshd_config. If it doesn't, then you need the ability to set up a forwarder there as ssh isn't going tp do that for you.

Direct support for SOCKS is variable in browsers because most people who need to proxy HTTP simply use HTTP proxying. The differene is that the built in HTTP proxying only handles browsing; SOCKS will proxy anything.

From: tangentSPAMCATCHER@cyberport.com (Warren Young)
Newsgroups: comp.unix.sco.misc
Subject: Re: Oddball Networking Question
Date: Thu, 10 Jun 1999 20:18:54 GMT
Message-ID: <37600b35.2953125@news.cyberport.com> 
References: <eH_63.480$%a7.61575@news.uswest.net>
<7jjj2d$mi1$1@ionews.ionet.net>
<fIh73.369$N3.35953@news.uswest.net>
<375E2645.B54F526E@ilion.nl> 

Tony Earnshaw <tonye@ilion.nl> wrote the following, proving once again
that the fastest way to get a question answered correctly on Usenet is
to post the wrong answer:

>Larry McFarlane wrote:
>
>internal net and one on the Internet. It uses NEC's socks5 proxy,
>compiled to support threaded mode (light weight processes) to minimize
>use of resources (CPU and memory). It translates requests from the IP
>number of each client to the IP number of the Internet NIC and back
>again for incoming packets. This is variously known as NAT and IP
>Masquerading. It'll give you what you want, most probably, including
>Quake.

SOCKS is not masquerading or NAT -- it's proxying.  The difference is
that with a proxy, one computer asks another to do something for it;
the proxy does what you ask, and returns the results.  In the case of
SOCKS, the clients open special connections to the SOCKS server,
asking it to open the "real" connection to the remote server.  The
SOCKS server acts as a relay, translating between HTTP or whatever on
the outbound leg to SOCKS on the inbound leg.

IP masquerading is one type of NAT where one of the network's members
(usually a gateway) translates the addresses in the packets it
receives as part of its gateway duties based on some rule.  The simple
example is that all "internal" addresses are translated to the one
outbound address.  The masquerading box also translates IP port
numbers, which it uses to de-multiplex incoming replies, so it can
send them on to the proper internal machines.

This difference is important for a number of reasons.  First, to use a
proxy, a program must have specific support for it.  NEC's SOCKSCap
lets you get around this limitation by getting in between a
SOCKS-ignorant program and the platform's network API in order to
translate the calls.  

Still, even with a SOCKSifier, you can run into limitations.  For
example, classic FTP doesn't work through a SOCKSifier due to the way
the protocol works -- you have to use the so-called "passive" mode of
FTP.  Chat, game and multimedia protocols are also notorious for not
working through dumb SOCKSifiers.  (This is as opposed to smart
SOCKSifiers which know the protocols in question and can re-write the
data stream on the fly to make it work.)

Masquerading, on the other hand, works with nearly everything, because
it's transparent to the application.  In the few cases where standard
masquerading doesn't work, there are usually smart stream re-writers
available that work at the gateway, rather than requiring trickery on
the client.

As mentioned in other parts of this thread, Linux and other operating
systems have good masquerading support already.  I've run NEC SOCKS
myself (both on Linux and on NT), and while it works well for a
limited set of applications (albeit the most important subset), it
isn't nearly as foolproof as masquerading.  I wouldn't go back for
anything.

Don't discard the Linux option: you can easily set up a dedicated,
headless 486 for this, and then put the SCO box behind the
masquerading box along with the Windows boxes.  We're running a
UnixWare box here at work that sits behind a 486/66 Linux box with 16
MB of RAM and a 500 MB hard drive along with an assortment of half a
dozen other machines (Win9x, WinNT, more Linux).  It all works
beautifully, and the Linux box's idle time only goes below 95% when
it's booting.  B-)

Also note that with Linux 2.2, the packet-filtering code makes for a
very good firewall.  I can send you a script that will both turn on
masquerading and set up a nearly bulletproof firewall.  (Bulletproof
by dint of not allowing hardly any incoming connections or ICMP/UDP
requests.  Once you start responding to inbound requests,
bulletproofness becomes just a wee bit harder to achieve.  B-) )

>NEC's socks5 proxy has to be obtained as source code from NEC's site,
>and you'll have to compile it and configure it yourself to suit your own
>needs. No socks4 proxy servers support UDP connections, there are other
>socks5 servers than NEC's that support a full range of UDP services
>(e.g. the Norwegian Dante). NEC also supplies a commercial version of
>its socks5 server, but you probably won't want to pay for it.

You left out a few things here:

1. The URL: www.socks.nec.com

2. You imply that the free version of the socks5 server is commercial,
and you'll need that to do UDP.  In fact the free version is fully
socks5-compliant -- it's the reference implementation of SOCKS, after
all.

My advice: go ahead and try SOCKS, but I'll bet you'll find that Quake
won't work through it, and that you'll find the SOCKSifying hassle
required with other applications more trouble than it's worth.

Good luck,

= Warren -- http://www.cyberport.com/~tangent/

This post explained more about Quake and SOCKS:

From - Fri Jun 11 07:45:42 1999
From: jeffl@comix.santa-cruz.ca.us (Jeff Liebermann)
Newsgroups: comp.unix.sco.misc
Subject: Re: Oddball Networking Question
Date: Fri, 11 Jun 1999 06:53:56 GMT
Message-ID: <3761a333.9184258@news.ricochet.net> 

On Thu, 10 Jun 1999 20:18:54 GMT, tangentSPAMCATCHER@cyberport.com
(Warren Young) wrote:

>My advice: go ahead and try SOCKS, but I'll bet you'll find that Quake
>won't work through it, and that you'll find the SOCKSifying hassle
>required with other applications more trouble than it's worth.

You might find that:

        http://users.nais.com/~nevo/masq/
(link dead, sorry)
will ease the pain.  The site is geared toward Linux IP Maquerade but the
information is equally applicable to proxy servers.  Proxy servers
require service definitions for each port number.  If you want Doom, you
configure a proxy for port 666.  Quake gets 26000.  AOL gets 5190-5193.
I inherited a customer with a SOCKS4 (not 5) proxy server, for a 30 user
lan, that was during into a configuration nightmare and whose firewall
started looking like swiss cheeze with all the holes and tweaks.  I would
have used SOCKS5 but far too many applications couldn't handle the
automatic login+password authentication to the SOCKS server.  Proxy
servers provide better security the simple packet filters but I would not
use one for a small lan.

Back to the original question.  The problem with Quake is that the remote
Quake server is not smart enough to recognize multiple players hiding
behind a single PAT port translating firewall or proxy server.  To the
Quake server, everything from the user site looks like it's coming from
one IP address and therefore from one user.  It's one player at a time
connecting to the Quake game server or you get a mess.  (Can you tell
what I do in my spare time?)


-- 
Jeff Liebermann  150 Felker St #D  Santa Cruz CA 95060
(831)421-6491 pgr (831)426-1240 fax (831)336-2558 home
http://www.cruzio.com/~jeffl   WB6SSY
jeffl@comix.santa-cruz.ca.us   jeffl@cruzio.com

Comments?

More Articles by Tony Lawrence

Jump to Comments

Many of the products and books I review are things I purchased for my own use. Some were given to me specifically for the purpose of reviewing them. I resell or can earn commissions from the sale of some of these items. Links within these pages may be affiliate links that pay me for referring you to them. That's mostly insignificant amounts of money; whenever it is not I have made my relationship plain. I also may own stock in companies mentioned here. If you have any question, please do feel free to contact me.

Specific links that take you to pages that allow you to purchase the item I reviewed are very likely to pay me a commission. Many of the books I review were given to me by the publishers specifically for the purpose of writing a review. These gifts and referral fees do not affect my opinions; I often give bad reviews anyway.

We use Google third-party advertising companies to serve ads when you visit our website. These companies may use information (not including your name, address, email address, or telephone number) about your visits to this and other websites in order to provide advertisements about goods and services of interest to you. If you would like more information about this practice and to know your choices about not having this information used by these companies, click here.