2

Intro

I have ruby software that utilizes a network during its execution.

Recently I got feedback from a user who works behind a firewall and use SOCKS, this software doesn't work for him

So I need to simulate this situation to check which part of my software doesn't respect HTTP_PROXY environment variables

What I have tried

I tried to simulate this firewall with iptables (inside docker):


apt-get update -y
apt-get install iptables

export SOCKS5_PROXY_HOST=xxx.xxx.xxx.xxx[1]
export SOCKS5_PROXY_PORT=ppp

iptables -A INPUT -s $SOCKS5_PROXY_HOST -j ACCEPT
iptables -A OUTPUT -d $SOCKS5_PROXY_HOST -j ACCEPT
iptables -P INPUT DROP
iptables -P OUTPUT DROP

env HTTP_PROXY=$SOCKS5_PROXY_HOST:$SOCKS5_PROXY_PORT ruby my_script.rb

Problem

For some reason, this approach doesn't work and I getting:

  • Proxy CONNECT aborted or
  • Failed to connect to xxx.xxx.xxx.xxx port pppp: Connection timed out

Notes:

  • [1] I've used IP address (not domain name) for SOCKS proxy
  • [2] I've used different random public SOCKS proxies before applying iptable rules they all were reachable
  • [3] Ruby Open-URI API respect HTTP_PROXY environment variables https://ruby-doc.org/stdlib-2.6.3/libdoc/open-uri/rdoc/OpenURI.html, but maybe some third-party code doesn't.

Questions

  1. Is that an acceptable approach: trying to "simulate" firewall with iptables?
  2. What this problem may appear is it something SOCKS specific, or misconfiguration in my iptables?
  3. Maybe there is a better approach to achieve the same goal: test software to be working through SOCKS proxy only, without 'direct' connections?
CAMOBAP
  • 131
  • 5
  • It sounds like you have not written support for SOCKS into your program. This is not something we can help with. – Michael Hampton Jul 13 '21 at 09:40
  • 1
    @MichaelHampton thanks for the reply. Actually, Ruby respect `HTTP[S]_PROXY` environment variables https://ruby-doc.org/stdlib-2.6.3/libdoc/open-uri/rdoc/OpenURI.html. And the ruby script definitely tries to connect to SOCKS proxy because in the error message I see the IP of the proxy. I have an assumption that maybe `iptables`'s rules too restrictive – CAMOBAP Jul 13 '21 at 09:47
  • 2
    HTTP(S) proxies are completely different to SOCKS proxies. The protocol is completely different so they cannot be interchanged. It requires special support in your program to connect via SOCKS, e.g. via [SOCKSSocket class](https://ruby-doc.org/stdlib-2.6.3/libdoc/socket/rdoc/SOCKSSocket.html). – Michael Hampton Jul 13 '21 at 09:52
  • @MichaelHampton thanks for the answer, I didn't know that. if you will write an answer I will approve it. Thanks – CAMOBAP Jul 13 '21 at 10:48

1 Answers1

1

Thanks a lot @michael-hampton for comments.

Short answers to my own questions:

  1. This approach works perfectly
  2. Issue on ruby side HTTP_PROXY accepts only HTTP[S] proxies (it doesn't handle SOCKS proxy as curl does)
  3. Probably iptable the simplest one

More details related to programming:

CAMOBAP
  • 131
  • 5