Network Basics: socat
|
by Craig Miller
Many may be familiar with netcat or nc for short. netcat is very useful for creating arbitrary TCP or UDP connections between end points (such as linux hosts). For example, sending a file from one host to another (if you aren't concern about encryption).
socat is similar to netcat but designed to be in the middle of the two end points, usually doing some kind of translation. From the man page:
- Socat is a command line based utility that establishes two bidirectional byte streams and transfers data between them. Because the streams can be constructed from a large set of different types of data sinks and sources (see address types), and because lots of address options may be applied to the streams, socat can be used for many different purposes.
There are lots of options to socat, and I encourage you to explore the socat man page, but let's look into some use cases of where socat can be very useful.
- Proxy ssh connections
- Proxy http connections
- Proxy https connections (sort of)
- L3 Protocol translation (IPv4->IPv6)
- L4 Protocol translation (UDP->TCP)
Installing socat
Your linux distro may not have socat installed. But it is usually a pre-compiled package. For Debian-based systems:
sudo apt install socat
Use Case 1: ssh proxy
socat allows one to make it appear that a ssh session is coming from a different IP address. This can be used for testing your network, or other reasons.
To setup socat for ssh proxy, log into the remote relay host, and start socat.
socat -d -d TCP6-LISTEN:8888,fork,reuseaddr,retry TCP6:galene.makikiweb.com:22
Then use ssh to connect to the relay host
ssh -p 8888 relay_host
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '[6koa]:8888' (RSA) to the list of known hosts.
Enter passphrase for key '/home/cvmiller/.ssh/id_ecdsa':
Linux taro.name 4.19.0 #1 SMP Thu Dec 15 20:31:06 MSK 2022 x86_64
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Mon Oct 16 23:38:22 2023 from 2001:db8:8011:fd60:ee1:5c5e:32c5:2c95
cvmiller@taro:~$
Looking at the last log, one can see that the host has recorded log-ins from 2 separate IP addresses
cvmiller@taro:~$ last -w | head
cvmiller pts/1 2001:db8:8011:fd60:6d5a:dbc4:3cbb:7ade Tue Nov 7 17:01 still logged in
cvmiller pts/1 2001:db8:8011:fd00:1197:da04:9aee:e46b Tue Nov 7 16:32 - 16:32 (00:00)
...
Use Case 2: Proxy http traffic
socat can proxy http traffic as well as ssh. The setup is similar to the ssh proxy, log-in to a relay host, and setup socat.
socat -d -d TCP6-LISTEN:8888,fork,reuseaddr,retry TCP6:www.makikiweb.com:80
Pointing the browser at the relay host port 8888, your packets will be transparently redirected to the destination host. However, this will only work for IPv6. It could work for IPv4, but because of the shortage of IPv4 addresses, a vast majority of servers run virtual hosting. Virtual Hosting is several webservers sharing a single IPv4 address. And when you try to use socat with IPv4, you receive the following:
This is because the webserver is looking at the HTTP-Name in the HTTP header to figure out which virtual server to send the request to. Since the HTTP-Name is the name of the socat proxy, the destination webserver doesn't know that name, and throws up the error.
Use Case 3: socat as a TLS/https proxy
It is possible to proxy TLS websites with the following:
socat -d -d TCP4-LISTEN:8888,fork,reuseaddr,retry TCP4:galene.makikiweb.com:443
TLS (Transport Layer Security) is smarter than to allow socat to proxy a connection. You will see the dreaded "Warning: Potential Security Risk Ahead" screen.
Why is this, when the destination website has a valid TLS certificate?
Use Case 4: L3 Protocol Conversion
There are times, where one might have an IPv4-only device, but want to access it via IPv6 (or visa-versa). socat can act as a proxy to do the conversion. For example, I have an IPv4-only Internet Radio, which has a handy web server allowing the creation and management of stored radio stations, however, since I run multiple routers in my home, only IPv6 has connectivity everywhere.
By running socat on a relay-host in the same IPv4-subnet, it is possible to access the Internet Radio's web management page externally, via IPv6.
socat TCP6-LISTEN:8888,fork,reuseaddr,retry TCP4:10.1.1.138:80
I wrote an article about accessing my IPv4-only internet radio back in 2020.
Use Case 5: L4 Protocol Conversion
A challenge in running your own VPN with WireGuard (WG) is that WG uses UDP. UDP is not always treated equally by some internet providers, especially Guest networks at Starbucks, or Quality Foods. Often these providers don't detect flows for UDP, and therefore each UDP packet has its own source (via NAT) UDP port. Just another joy of running NAT in the IPv4 world.
However, it should be possible to setup a 2 socat relay system to convert the UDP packets to TCP.
Running your VPN through more hops will not improve your performance, but if it allows connectivity where there was none, it can be acceptable.
On the left side, we convert UDP packets to TCP, picking an arbitrary TCP port
socat UDP4-LISTEN:8888,fork,reuseaddr,retry TCP4:vpn.host:4321
And on the right side, we convert TCP back to UDP for Wireguard to process:
socat TCP4-LISTEN:4321,fork,reuseaddr,retry UDP4:localhost:8888
Lab
Install and Use socat to relay http to a remote (non-TLS) host (e.g. http://neverssl.com/)
Socat, the swiss army knife of networking
As you can see, these are just some of the use cases for socat. It has many translations available as can be seen with socat -h. It can even act like netcat redirecting stdin and stdout to a TCP or UDP stream. It is not something you might need every day, but it is a great tool to have in your network toolbox.
19 November 2023