===== related utilities filan -h filan by Gerhard Rieger - see http://www.dest-unreach.org/socat/ Analyze file descriptors of the process Usage: filan [options] options: -?|-h print this help text -d increase verbosity (use up to 4 times) -i only analyze this fd -n analyze all fds from 0 up to fdnum-1 (default: 1024) -s simple output with just type and socket address or path -f analyze file system entry -T wait before analyzing, useful to connect with debugger -r raw output for time stamps and rdev -L show symlink properties instead of following it -o output goes to filename, that can be: a regular file name, the output goes to that + , output goes to the file descriptor (which must be open writable) the 3 special names stdin stdout and stderr prolan - Analyze system parameters of process pv - monitor the progress of data through a pipe ===== socat http://www.dest-unreach.org/socat ------------------------------------------- EXAMPLE FOR OPENSSL CONNECTION USING SOCAT Hosts: a server and a client 1) Generate self signed server certificate // generate a private key; $ openssl genrsa -out server.key 1024 // generate a self signed cert: $ openssl req -new -key server.key -x509 -days 3653 -out server.crt // enter fields... (may all be empty when cert is only used privately) // generate the pem file: $ cat server.key server.crt >server.pem // secure permissions: $ chmod 600 server.key server.pem // copy server.pem to the server host using a secure channel (floppy, scp...) // and keep tight permissions // remove all other instances of server.key and server.pem // copy server.crt to the client host 2) Generate self signed client certificate // like server certificate, but use names client.* // copy client.pem to the client host using a secure channel (floppy, scp...) // and keep tight permissions // remove all other instances of client.key and client.pem // copy client.crt to the server host 3) Start socat based SSL server // on server host: $ socat ssl-l:1443,reuseaddr,fork,cert=server.pem,cafile=client.crt,verify=1 exec:'uptime' 4) Invoke socat based SSL client // on client host: $ socat - ssl:server-host:1443,cert=client.pem,cafile=server.crt ----------------- EXAMPLE FOR TCP `GENDER CHANGER´ USING SOCAT See http://www.csnc.ch/static/download/publications/TCP-IP_GenderChanger_CSNC_V1.0.pdf for a description of the problem. Hosts: a server, blocked by a firewall a client outside the firewall ("outside-host") a firewall that allows arbitrary TCP connections from server to outside, port 80 1) Start the double client on the inside server // every 10 seconds, it tries to establish a connection to the outside host. // whenever it succeeds, it forks a sub process that connect to the internal // service and starts to transfer data $ socat -d -d -d -t5 tcp:outside-host:80,forever,intervall=10,fork tcp:localhost:80 2) Start double server on the outside client // wait for a connection from a local client. whenever it accepted it, forks // a subprocess that tries to bind to the socket where the inside double // client tries to connect (might need to wait for a previous process to // release the port) # socat -d -d -d tcp-l:80,reuseaddr,bind=127.0.0.1,fork tcp-l:80,bind=outside-host,reuseaddr,retry=10 3) Connect with outside client $ mozilla http://127.0.0.1/ =============== http://www.dest-unreach.org/socat/doc/socat-tun.html TUN Server socat -d -d TCP-LISTEN:11443,reuseaddr TUN:192.168.255.1/24,up TUN Client socat TCP:1.2.3.4:11443 TUN:192.168.255.2/24,up =============== TCP port forwarder socat -d -d -lmlocal2 \ TCP4-LISTEN:80,bind=myaddr1,su=nobody,fork,range=10.0.0.0/8,reuseaddr \ TCP4:www.domain.org:80,bind=myaddr2