Prove that software works via SOCKS

firewall iptables testing

Intro

I have ruby software that utilizes a network during its execution.

Recently I got feedback from a user who works behind a firewall and use SOCKS, this software doesn't work for him

So I need to simulate this situation to check which part of my software doesn't respect HTTP_PROXY environment variables

What I have tried

I tried to simulate this firewall with iptables (inside docker):


apt-get update -y
apt-get install iptables

export SOCKS5_PROXY_HOST=xxx.xxx.xxx.xxx[1]
export SOCKS5_PROXY_PORT=ppp

iptables -A INPUT -s $SOCKS5_PROXY_HOST -j ACCEPT
iptables -A OUTPUT -d $SOCKS5_PROXY_HOST -j ACCEPT
iptables -P INPUT DROP
iptables -P OUTPUT DROP

env HTTP_PROXY=$SOCKS5_PROXY_HOST:$SOCKS5_PROXY_PORT ruby my_script.rb

Problem

For some reason, this approach doesn't work and I getting:

  • Proxy CONNECT aborted or
  • Failed to connect to xxx.xxx.xxx.xxx port pppp: Connection timed out

Notes:

  • [1] I've used IP address (not domain name) for SOCKS proxy
  • [2] I've used different random public SOCKS proxies before applying iptable rules they all were reachable
  • [3] Ruby Open-URI API respect HTTP_PROXY environment variables https://ruby-doc.org/stdlib-2.6.3/libdoc/open-uri/rdoc/OpenURI.html, but maybe some third-party code doesn't.

Questions

  1. Is that an acceptable approach: trying to "simulate" firewall with iptables?
  2. What this problem may appear is it something SOCKS specific, or misconfiguration in my iptables?
  3. Maybe there is a better approach to achieve the same goal: test software to be working through SOCKS proxy only, without 'direct' connections?

Solution 1:

Thanks a lot @michael-hampton for comments.

Short answers to my own questions:

  1. This approach works perfectly
  2. Issue on ruby side HTTP_PROXY accepts only HTTP[S] proxies (it doesn't handle SOCKS proxy as curl does)
  3. Probably iptable the simplest one

More details related to programming:

  • My software use git gem which doesn't handle HTTP_PROXY and any proxy needs to be set up explicitly. Good guide how this can be accomplished
  • socksify can help to add support easily

Related

Disable TLS 1.0 and 1.1 on WIndows 2012 R2 ADFS and WAP
Can't load SQLsrv due to "zval_ptr_dtor" error
How does deleting the oldest ZFS snapshot not break the flow of data?
Allow all users of a group to start and stop zope using supervisorctl
How to solve authentication error in sendmail relay through gmail [closed]
PowerShell script works from command line, not from Task Scheduler. Why?
logrotate fails to instruct Apache to reopen logs on Amazon Linux
Access HP Lights-Out from remote server
Windows Server 2008 R2 drops packets
How to set up a basic mod_rewrite?
Assign public IP address to Hyper-V guest [duplicate]
Nginx reverse proxy to server with login not working as expected