(Courriels de diversion: <youyous@naîtrons-gobelins.com> <confirmais@industrialisez-tonsure.com> <evolutionniste@vouvoies-raccompagnerons.com> <enquêteuse@terrifiantes-cachous.com> <confectionneuses@etend-justifiaient.com> <travestirent@cloueriez-chaire.com> <paralysa@inculqueront-perfectionnement.com> <controlable@municipalite-retrocederai.com> <pivoines@bacs-braiments.com> <entendu@procederez-trahissent.com> )
Salut,
Pour bien comprendre le mecanisme de socksification va sur le site de
Hummingbird
qui fait le client socks le plus populaire et le meilleur sous windows (et
il est free).
Il y a une page qui explique un peu ce mecanisme.
Sinon tu as le howto IP masquerade qui t explique tout ce mecanisme de
proxy / NAT / socks ...
Je te copie ci apres le contenu du chapitre 7
A+
palmo
How does IP Masquerade differ from Proxy or NAT services?
Proxy: Proxy servers are available for: Win95, NT, Linux, Solaris, etc.
Pro: + (1) IP address ; cheap
+ Optional caching for better performance (WWW, etc.)
Con: - All applications behind the proxy server must both SUPPORT
proxy services (SOCKS) and be CONFIGURED to use the Proxy
server
- Screws up WWW counters and WWW statistics
A proxy server uses only (1) public IP address, like IP MASQ, and acts
as a translator to clients on the private LAN (WWW browser, etc.).
This proxy server receives requests like TELNET, FTP, WWW,
etc. from the private network on one interface. It would then in turn,
initiate these requests as if someone on the local box was making the
requests. Once the remote Internet server sends back the requested
information, it would re-translate the TCP/IP addresses back to the
internal MASQ client and send traffic to the internal requesting host.
This is why it is called a PROXY server.
Note: ANY applications that you might want to use on the
internal machines *MUST* have proxy server support
like Netscape and some of the better TELNET and FTP
clients. Any clients that don't support proxy servers
won't work.
Another nice thing about proxy servers is that some of them
can also do caching (Squid for WWW). So, imagine that you have 50
proxied hosts all loading Netscape at once. If they were installed
with the default homepage URL, you would have 50 copies of the same
Netscape WWW page coming over the WAN link for each respective computer.
With a caching proxy server, only one copy would be downloaded by the
proxy
server and then the proxied machines would get the WWW page from the
cache. Not only does this save bandwidth on the Internet connection,
it will be MUCH MUCH faster for the internal proxied machines.
MASQ: IP Masq is available on Linux and a few ISDN routers such
or as the Zytel Prestige128, Cisco 770, NetGear ISDN routers, etc.
1:Many
NAT
Pro: + Only (1) IP address needed (cheap)
+ Doesn't require special application support
+ Uses firewall software so your network can become
more secure
Con: - Requires a Linux box or special ISDN router
(though other products might have this.. )
- Incoming traffic cannot access your internal LAN
unless the internal LAN initiates the traffic or
specific port forwarding software is installed.
Many NAT servers CANNOT provide this functionality.
- Special protocols need to be uniquely handled by
firewall redirectors, etc. Linux has full support
for this (FTP, IRC, etc.) capabilty but many routers
do NOT (NetGear DOES).
Masq or 1:Many NAT is similar to a proxy server in the sense that the
server will perform IP address translation and fake out the remote server
(WWW for example) as if the MASQ server made the request instead of an
internal machine.
The major difference between a MASQ and PROXY server is that MASQ servers
don't need any configuration changes to all the client machines. Just
configure them to use the linux box as their default gateway and
everything
will work fine. You WILL need to install special Linux modules for things
like RealAudio, FTP, etc. to work)!
Also, many users operate IP MASQ for TELNET, FTP, etc. *AND* also setup a
caching proxy on the same Linux box for WWW traffic for the additional
performance.
NAT: NAT servers are available on Windows 95/NT, Linux, Solaris, and some
of the better ISDN routers (not Ascend)
Pro: + Very configurable
+ No special application software needed
Con: - Requires a subnet from your ISP (expensive)
Network Address Translation is the name for a box that would have a pool
of
valid IP addresses on the Internet interface which it can use. Whenever
the
Internal network wanted to go to the Internet, it associates an available
VALID IP address from the Internet interface to the original requesting
PRIVATE IP address. After that, all traffic is re-written from the NAT
public IP address to the NAT private address. Once the associated PUBLIC
NAT address becomes idle for some pre-determined amount of time, the
PUBLIC IP address is returned back into the public NAT pool.
The major problem with NAT is, once all of the free public IP addresses
are
used, any additional private users requesting Internet service are out of
luck until a public NAT address becomes free.
For an excellent and very comprehensive description of the various forms of
NAT, please see:
http://www.suse.de/~mha/linux-ip-nat/diplom/nat.html/
Here is another good site to learn about NAT, although many of the URLs are
old but still valid:
http://www.linas.org/linux/load.html/
This is a great URL for learning about other NAT solutions for Linux as well
as other platforms:
"http://www.uq.net.au/~zzdmacka/the-nat-page/
----------------------------------------------------------------------------
----
----- Original Message -----
From: jdd <jdanield@dodin.net>To: Fabrice BACOU <Fabrice.Bacou@wanadoo.fr>; <linux-31@culte.org>Sent: Friday, August 03, 2001 6:29 PM
Subject: Re: [linux-31] socks et firewall
> Le Vendredi 3 Août 2001 15:37, Fabrice BACOU a écrit :
> > Bonjour,
> >
> > J ai une petite question pour les experts firewall :
> >
> > voila dans le monde Windozs, lorsqu on est en entreprise il est courant
de
> > "socksifier" sa plateforme.
>
> j'aimerai bien comprendre ce que ca veut dire. J'ai le problème au lycée,
je
> ne peux pas envoyer de mail à cause du proxy NT.
>
> j'ai essayé d'installer "dante", mais rien n'a marché, sans doute parceque
je
> ne comprends rien aux variables de configuration et qu'il n'y a pas de
doc.
>
> jdd
>
> --
> <http://www.dodin.net> <mailto:jdanield@dodin.net>> WHO'S THAT GUY ? Help me found it
> Russia & South america help needed
> http://www.dodin.net/serge/index.html
>
---------------------------------------------------------------------
Aide sur la liste: <URL:mailto:linux-31-help@CULTe.org>Le CULTe sur le web: <URL:http://www.CULTe.org/>