2

Intro

I have ruby software that utilizes a network during its execution.

Recently I got feedback from a user who works behind a firewall and use SOCKS, this software doesn't work for him

So I need to simulate this situation to check which part of my software doesn't respect HTTP_PROXY environment variables

What I have tried

I tried to simulate this firewall with iptables (inside docker):

 apt-get update -y apt-get install iptables export SOCKS5_PROXY_HOST=xxx.xxx.xxx.xxx[1] export SOCKS5_PROXY_PORT=ppp iptables -A INPUT -s $SOCKS5_PROXY_HOST -j ACCEPT iptables -A OUTPUT -d $SOCKS5_PROXY_HOST -j ACCEPT iptables -P INPUT DROP iptables -P OUTPUT DROP env HTTP_PROXY=$SOCKS5_PROXY_HOST:$SOCKS5_PROXY_PORT ruby my_script.rb

Problem

For some reason, this approach doesn't work and I getting:

  • Proxy CONNECT aborted or
  • Failed to connect to xxx.xxx.xxx.xxx port pppp: Connection timed out

Notes:

  • [1] I've used IP address (not domain name) for SOCKS proxy
  • [2] I've used different random public SOCKS proxies before applying iptable rules they all were reachable
  • [3] Ruby Open-URI API respect HTTP_PROXY environment variables https://ruby-doc.org/stdlib-2.6.3/libdoc/open-uri/rdoc/OpenURI.html, but maybe some third-party code doesn't.

Questions

  1. Is that an acceptable approach: trying to "simulate" firewall with iptables?
  2. What this problem may appear is it something SOCKS specific, or misconfiguration in my iptables?
  3. Maybe there is a better approach to achieve the same goal: test software to be working through SOCKS proxy only, without 'direct' connections?
Improve this question
4
  • It sounds like you have not written support for SOCKS into your program. This is not something we can help with. Commented Jul 13, 2021 at 9:40
  • 1
    @MichaelHampton thanks for the reply. Actually, Ruby respect HTTP[S]_PROXY environment variables ruby-doc.org/stdlib-2.6.3/libdoc/open-uri/rdoc/OpenURI.html. And the ruby script definitely tries to connect to SOCKS proxy because in the error message I see the IP of the proxy. I have an assumption that maybe iptables's rules too restrictive Commented Jul 13, 2021 at 9:47
  • 2
    HTTP(S) proxies are completely different to SOCKS proxies. The protocol is completely different so they cannot be interchanged. It requires special support in your program to connect via SOCKS, e.g. via SOCKSSocket class. Commented Jul 13, 2021 at 9:52
  • @MichaelHampton thanks for the answer, I didn't know that. if you will write an answer I will approve it. Thanks Commented Jul 13, 2021 at 10:48

1 Answer 1

Reset to default
1

Thanks a lot @michael-hampton for comments.

Short answers to my own questions:

  1. This approach works perfectly
  2. Issue on ruby side HTTP_PROXY accepts only HTTP[S] proxies (it doesn't handle SOCKS proxy as curl does)
  3. Probably iptable the simplest one

More details related to programming:

Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.