This article describes the packet flows and debug log for Telnet over SOCKS 5 Proxy.
Scope
FortiProxy.
Solution
Configurations:
config web-proxy explicit-proxy edit "web-proxy" set status enable set interface "port2" set socks enable set http-incoming-port 8080 set https-incoming-port 8080 set socks-incoming-port 15900 set incoming-ip 0.0.0.0 (Can be Interface IP address) next end config firewall policy edit 1 set type explicit-web set name "InternetAccess" set dstintf "port1" "port3" "port2" set srcaddr "all" set dstaddr "all" set action accept set schedule "always" set service "webproxy" set explicit-web-proxy "web-proxy" set utm-status enable set logtraffic all set log-http-transaction all set ssl-ssh-profile "certificate-inspection" next end
Traffic flows:
Client 10.176.2.144 -> SOCKS Proxy 10.176.2.91:15900 -> Telnet Server 10.176.2.173.
Packet flows:
No. Time Source Src Port Destination Dst Port Protocol Length TCP Segment Len Info 1 0.000000 10.176.2.144 24221 10.176.2.91 15900 TCP 66 0 24221 → 15900 [SYN] Seq=0 Win=64240 Len=0 MSS=1460 WS=256 SACK_PERM 2 0.000269 10.176.2.91 15900 10.176.2.144 24221 TCP 66 0 15900 → 24221 [SYN, ACK] Seq=0 Ack=1 Win=65535 Len=0 MSS=1460 SACK_PERM WS=1024 3 0.000643 10.176.2.144 24221 10.176.2.91 15900 TCP 60 0 24221 → 15900 [ACK] Seq=1 Ack=1 Win=262656 Len=0 4 0.048166 10.176.2.144 24221 10.176.2.91 15900 Socks 60 3 Version: 5 Connect to server request > Socks Protocol Version: 5 Client Authentication Methods 5 0.000087 10.176.2.91 15900 10.176.2.144 24221 TCP 54 0 15900 → 24221 [ACK] Seq=1 Ack=4 Win=65536 Len=0 6 0.000225 10.176.2.91 15900 10.176.2.144 24221 Socks 56 2 Version: 5 Connect to server response > Socks Protocol Version: 5 Accepted Auth Method: 0x0 (No authentication) 7 0.019957 10.176.2.144 24221 10.176.2.91 15900 Socks 73 19 Version: 5 Command Request - Connect > Socks Protocol Version: 5 Command: Connect (1) Reserved: 0 Address Type: Domain Name (3) Remote name: 10.176.2.173 Port: 23 8 0.000000 10.176.2.91 51890 10.176.2.173 23 TCP 74 0 51890 → 23 [SYN] Seq=0 Win=65535 Len=0 MSS=1460 SACK_PERM TSval=3655116814 TSecr=0 WS=1024 9 0.000989 10.176.2.173 23 10.176.2.91 51890 TCP 74 0 23 → 51890 [SYN, ACK] Seq=0 Ack=1 Win=28960 Len=0 MSS=1460 SACK_PERM TSval=2060425598 TSecr=3655116814 WS=8192 10 0.000040 10.176.2.91 51890 10.176.2.173 23 TCP 66 0 51890 → 23 [ACK] Seq=1 Ack=1 Win=65536 Len=0 TSval=3655116815 TSecr=2060425598 11 0.001677 10.176.2.91 15900 10.176.2.144 24221 Socks 64 10 Version: 5 Command Response - Connect > Socks Protocol Version: 5 Results(V5): Succeeded (0) Reserved: 0 Address Type: IPv4 (1) Remote Address: 10.176.2.91 Port: 51890 12 0.005487 10.176.2.144 1080 10.176.2.91 15900 TELNET 75 21 Telnet Data ... 13 0.005644 10.176.2.91 51890 10.176.2.173 23 TELNET 87 21 Telnet Data ... 14 0.000211 10.176.2.173 23 10.176.2.91 51890 TCP 66 0 23 → 51890 [ACK] Seq=1 Ack=22 Win=32768 Len=0 TSval=2060425604 TSecr=3655116821
Note: Packets 1 to 6 are TCP 3-Way Handshake and client greeting. Packets 7 to 11 are Server choices.
Wad debug log:
diag wad filter clear diag wad filter src <x.x.x.x> diagnose wad debug enable category socks diagnose wad debug enable level info diag debug en [I][p:1053][s:1735046410] wad_socks_client_read_sync :3268 ss=0x7fb11beaa548 port=0x7fb11ba4c048 [I][p:1053][s:1735046410] wad_socks_detect_version :3194 ss=0x7fb11beaa548 [I][p:1053][s:1735046410] __wad_socks_auth_result_proc :1423 auth notify: ss=0x7fb11beaa548 auth-state=user pid=1053. [I][p:1053][s:1735046410] wad_socks_skip_auth_method_ver :3149 ss=0x7fb11beaa548 [I][p:1053][s:1735046410] wad_socks_skip_auth_methods :3172 ss=0x7fb11beaa548 [I][p:1053][s:1735046410] wad_socks_auth_method_response :3072 ss=0x7fb11beaa548 scheme=Unknown socks_method=0x00 [I][p:1053][s:1735046410] wad_socks_client_read_buff :3244 ss=0x7fb11beaa548 port=0x7fb11ba4c048 [I][p:1053][s:1735046410] wad_socks_client_read_sync :3268 ss=0x7fb11beaa548 port=0x7fb11ba4c048 [I][p:1053][s:1735046410] wad_socks_proc_v5_req_hdr :2988 ss=0x7fb11beaa548 [I][p:1053][s:1735046410] wad_socks_proc_v5_connect :2313 ss=0x7fb11beaa548 [I][p:1053][s:1735046410] wad_socks_policy_set :1932 match policy-id=1(pol_ctx:mx|A|7?h|=d) vd=0:0(ses_ctx:x|Phx|Mde|Hf|C|A7|O) pid=1053 out_if=4 user= (anony:1) 10.176.2.144:25213 -> 10.176.2.173:23 av_idx=0 [V][p:1053][s:1735046410] wad_socks_connect :1610 0.0.0.0:0(type=use-gateway set=0) => 10.176.2.173:23(type=0) [V][p:1053][s:1735046410] __wad_socks_tcp_connect :1980 session=0x7fb11c1b9b28 client=0x7fb11ba4c048 tcp_port=0x7fb11ba4c2f8 ctx=0x7fb11dc53e38 [I][p:1053][s:1735046410] wad_socks_send_v5_resp :1183 ss=0x7fb11beaa548 resp_code=0 [I][p:1053][s:1735046410] wad_socks_port_close :3291 ss=0x7fb11beaa548 state=3 [I][p:1053][s:1735046410] wad_socks_session_free :1246 session=0x7fb11beaa548