Install at least IWSVA 6.5 Service Pack 2 Patch 1 after checking the Readme file to make use of the options listed in the next sections.
-
Enabling SOCKS5 proxy:
Edit the file "/etc/iscan/network.ini", and add/modify the following two keys:
socks5_proxy_enabled=yes
socks5_proxy_port=1080 -
Enabling SOCKS5 user authentication:
To enable authentication for the SOCKS5 requests, add the following parameter to the same file as above:
socks5_auth_enable=yes
And specify the username and password when performing the authentication.
The character ";" is expected to split multiple users, for example:
socks5_auth_users=testuser/testpassword;testuser2/testpassword2
-
Destination port ACL:
Specify the destination port which can be rejected, for example:
socks5_reject_dstport=443;8443
-
Enabling ACL based on client IP:
-
Set the default action for the socks proxy, for example:
default_allow_action = yes
- #"yes" means that the default action is "allow", coordinated with the configuration "socks5_reject_srcip"
- #"no" means that the default action is "reject", coordinated with the configuration "socks5_allow_srcip"
-
Specify the source ip range which can be rejected, for example:
socks5_reject_srcip=127.0.0.1/32
-
Specify the source ip range which can be allowed, for example:
socks5_allow_srcip=172.16.0.0/12;10.204.151.0/23
All the SOCKS5-related settings that can be configured in the /etc/iscan/network.ini file:
Click image to enlarge
-
Use case: SOCKS5 user authentication
After configuring the settings, the IWSVA administrator can trigger one visit from a test client.
The administrator should set SOCKS5 proxy (for instance, Address:10.204.151.65 Port:1080) as web proxy on the test client, and input the username and the password.
Click image to enlarge
If you input an invalid username or password, the client will not be able to access internet as shown in the following:
Click image to enlarge
If the username and password are valid, the client can access the internet. This ensures that the current SOCKS5 proxy is working.
Click image to enlarge
The following are limitations and known issues of this feature:
- IPv6 is not supported.
- This feature only works in forward proxy mode.
- The characters “/” and “;” are invalid for username and password.
- The Rejected destination port does not support wildcards.
- If an entry in “socks5_allow_srcip” is in conflict with one key in “socks5_reject_srcip”, such entries will be rejected.