From 7f3ec85bd8b76b5032d3a95ab69c130402fad5ec Mon Sep 17 00:00:00 2001 From: webbreacher Date: Tue, 17 Dec 2013 20:04:47 -0500 Subject: [PATCH] Finished with socat --- cats/socat.md | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/cats/socat.md b/cats/socat.md index 188ae24..88b7fad 100755 --- a/cats/socat.md +++ b/cats/socat.md @@ -4,7 +4,7 @@ An important piece to understand about `socat` is that the format of the command is: `socat [options]
` where `
` is in a special format. Check out the docs here http://www.dest-unreach.org/socat/doc/socat.html#ADDRESS_TYPES for more information. -The examples below are mostly copied from the http://www.dest-unreach.org/socat/doc/socat.html#EXAMPLES page and are not a complete listing of all the examples. +The examples below are mostly copied from the http://www.dest-unreach.org/socat/doc/socat.html#EXAMPLES page or http://stuff.mit.edu/afs/sipb/machine/penguin-lust/src/socat-1.7.1.2/EXAMPLES and are not a complete listing of all the examples. ## Commands | Command | Description / Importance | @@ -26,4 +26,6 @@ The examples below are mostly copied from the http://www.dest-unreach.org/socat/ | `socat SSL-LISTEN:4443,reuseaddr,pf=ip4,fork,\`
`cert=server.pem,cafile=client.crt PIPE` | is an OpenSSL server that accepts TCP connections, presents the certificate from the file server.pem and forces the client to present a certificate that is verified against cafile.crt. The second address ('PIPE') can be replaced by almost any other socat address. For instructions on generating and distributing OpenSSL keys and certificates see the additional socat docu socat-openssl.txt. | | `socat tcp-l:7777,reuseaddr,fork system:'filan -i 0 -s >&2',nofork` | listens for incoming TCP connections on port 7777. For each accepted connection, invokes a shell. This shell has its stdin and stdout directly connected to the TCP socket (nofork). The shell starts filan and lets it print the socket addresses to stderr (your terminal window). | | `socat - tcp:www.blackhat.org:31337,readbytes=1000` | connects to an unknown service and prevents being flooded. | -| `socat TCP:host2:4443 TUN:192.168.255.1/24,up` | establishes one side of a virtual (but not private!) network with host2 where a similar process might run, with UDP-L and tun address 192.168.255.2. They can reach each other using the addresses 192.168.255.1 and 192.168.255.2. Note that streaming eg. via TCP or SSL does not guarantee to retain packet boundaries and may thus cause packet loss. \ No newline at end of file +| `socat TCP:host2:4443 TUN:192.168.255.1/24,up` | establishes one side of a virtual (but not private!) network with host2 where a similar process might run, with UDP-L and tun address 192.168.255.2. They can reach each other using the addresses 192.168.255.1 and 192.168.255.2. Note that streaming eg. via TCP or SSL does not guarantee to retain packet boundaries and may thus cause packet loss. | +| `socat TCP-LISTEN:80,reuseaddr,fork,su=nobody \`
`TCP:www.dmz.mydomain.org:80` | relay TCP port 80 from everywhere (internet, intranet, dmz) through your firewall to your DMZ webserver (like plug-gw) listen on port 80; whenever a connection is made, fork a new process (parent process keeps accepting connections), su to nobody, and connect to www.dmz.mydomain.org on port 80. attention: this is a substitute for a reverse proxy without providing application level security. | +| `socat -lm -d -d TCP-LISTEN:25,bind=fw.dmz.mydomain.org, \`
`fork,su=nobody,range=smtp.dmz.mydomain.org/32 \`
`TCP:smtp.intra.mydomain.org:25` | relay mail from your DMZ server through your firewall. accept connections only on dmz interface and allow connections only from smtp.dmz.mydomain.org. the advantages over plug-gw and other relays are: * you can bind to an IP address (even an alias), therefore enhance security * in your OS you can create several IP aliases and bind another socat daemon to each, making several application servers addressable * lots of options, like switching user, chroot, IP performance tuning * no need for inetd. | \ No newline at end of file