Unix tutorial Contact as

Setting Up Socks4 and Socks5 server on Linux or FreeBsd

Original of this document is available at http://www.okcforum.org/~markg/Firewall-HOWTO-12.html

This tutorial will show you how to set up a secure SOCKS proxy server.

The SOCKS proxy server available from http://www.socks.nec.com/.
Uncompressed and untar the files into a directory on your system, and follow the instructions on how to make it. I had a couple problems when I made it. Make sure that your Makefiles are correct.
One important thing to note is that the proxy server needs to be added to /etc/inetd.conf. You must add a line:

socks stream tcp nowait nobody /usr/local/etc/sockd sockd

to tell the server to run when requested.

Configuring the Socks Proxy Server

The SOCKS program needs two separate configuration files. One to tell the access allowed, and one to route the requests to the appropriate proxy server. The access file should be housed on the server. The routing file should be housed on every UNIX machine. The DOS and, presumably, Macintosh computers will do their own routing.

With socks4.2 Beta, the access file is called "sockd.conf".It should contain 2 lines, a permit and a deny line. Each line will have three entries:

The Identifier (permit/deny)
The IP address
The address modifier
The identifier is either permit or deny. You should have both a permit and a deny line.

The IP address holds a four byte address in typical IP dot notation. I.E.

The address modifier is also a typical IP address four byte number. It works like a netmask. Envision this number to be 32 bits (1s or 0s). If the bit is a 1, the corresponding bit of the address that it is checking must match the corresponding bit in the IP address field. For instance, if the line is:


it will permit only the IP address that matches every bit in, eg, only The line:


will permit every number within group through, the whole C Class domain. One should not have the line:


as this will permit every address, regardless.

So, first permit every address you want to permit, and then deny the rest. To allow everyone in the domain 192.168.2.xxx, the lines:


will work nicely. Notice the first "" in the deny line. With a modifier of, the IP address field does not matter. All 0's is the norm because it is easy to type.
More than one entry of each is allowed.
Specific users can also be granted or denied access. This is done via ident authentication. Not all systems support ident, including Trumpet Winsock, so I will not go into it here. The documentation with socks is quite adequate on this subject.

The Routing File

The routing file in SOCKS is poorly named "socks.conf". I say "poorly named" because it is so close to the name of the access file that it is easy to get the two confused. The routing file is there to tell the SOCKS clients when to use socks and when not to. For instance, in our network, will not need to use socks to talk with, firewall. It has a direct connection in via Ethernet. It defines, the loopback, automatically. Of course you do not need SOCKS to talk to yourself. There are three entries:


Deny tells SOCKS when to reject a request. This entry has the same three fields as in sockd.conf, identifier, address and modifier. Generally, since this is also handled by sockd.conf, the access file, the modifier field is set to If you want to preclude yourself from calling any place, you can do it here.
The direct entry tells which addresses to not use socks for. These are all the addresses that can be reached without the proxy server. Again we have the three fields, identifier, address and modifier. Our example would have


Thus going direct for any on our protected network.
The sockd entry tells the computer which host has the socks server daemon on it. The syntax is:

sockd @=<serverlist> <IP address> <modifier>

Notice the @= entry. This allows you to set the IP addresses of a list of proxy servers. In our example, we only use one proxy server. But, you can have many to allow a greater load and for redundancy in case of failure. The IP address and modifier fields work just like in the other examples. You specify which addresses go where through these. 6.2.3. DNS from behind a Firewall Setting up Domain Name service from behind a firewall is a relatively simple task. You need merely to set up the DNS on the firewalling machine. Then, set each machine behind the firewall to use this DNS.

Back to main page

Copyright © 2003-2016 The UnixCities.com
All rights reserved