src:http://www.catonmat.net/blog/linux-socks5-proxy/
I thought I ' d do a shorter article on Catonmat this time. It goes hand in hand with my upcoming article series on "100% technicalGuide to anonymity" and it ' s much easier To write larger articles in smaller pieces. Then I can edit them together and produce the final article.
This article would be interesting for those who didn ' t know it already--can turn any Linux computer into a SOCKS5 D SOCKS4) Proxy in just one command:
Ssh-n-D 0.0.0.0:1080 localhost
And it doesn ' t require root privileges. The ssh
command starts up dynamic -D
port forwarding in port and talks to the 1080
clients via SOCSK5 or SOCKS4 Proto Cols, just like a regular SOCKS5 proxy would! The -N
option makes sure SSH stays idle and doesn ' t execute any commands on localhost.
If You also wish the command to go into background as a daemon and then add -f
option:
Ssh-f-n-d 0.0.0.0:1080 localhost
To use it, just make your software with SOCKS5 Proxy on your Linux computer ' s IP, port, and you ' re-done, all your requ ESTs now get proxied.
Access control can be implemented via iptables
. For example, to-allow-people from the IP to use 1.2.3.4
the SOCKS5 proxy, add the following iptables
rules:
Iptables-a INPUT--src 1.2.3.4-p tcp--dport 1080-j acceptiptables-a input-p tcp--dport 1080-j REJECT
The first rule says, allow anyone from to connect to port, and the other 1.2.3.4
1080
rule says, deny everyone else from co Nnecting to Port 1080
.
Surely, executing iptables
requires root privileges. If you don't have the root privileges, and you don't want to leave your the proxy open (and you really don ' t want to does that), you ' ll have the some kind of a simple TCP proxy wrapper to do access control.
Here, I wrote one in Perl. It's called tcp-proxy.pl
and it uses IO::Socket::INET
to the abstract sockets, and to do IO::Select
connection multiplexing.
#!/usr/bin/perl#UseWarnings;UseStrict;UseIo::socket::INET;UseIo::Select;My@allowed_ips=(' 1.2.3.4 ',' 5.6.7.8 ',' 127.0.0.1 ',' 192.168.1.2 ');My$ioset=Io::Select-New;My%socket_map;My$debug=1;SubNew_conn{My($host,$port)=@_;ReturnIo::socket::INET-New(Peeraddr=$host,Peerport=$port)||Die"Unable to connect to $host: $port: $!";}SubNew_server{My($host,$port)=@_;My$server=Io::socket::INET-New(Localaddr=$host,LocalPort=$port,Reuseaddr=1,Listen=100)||Die"Unable to listen on $host: $port: $!";}SubNew_connection{My$server=Shift;My$client=$server-Accept;My$client _ip=Client_ip($client);Unless(Client_allowed($client)){Print"Connection from $client _ip denied.\n"If$debug;$client-Close;Return;}Print"Connection from $client _ip accepted.\n"If$debug;My$remote=New_conn(' localhost ',55555);$ioset-Add($client);$ioset-Add($remote);$socket _map{$client}=$remote;$socket _map{$remote}=$client;}SubClose_connection{My$client=Shift;My$client _ip=Client_ip($client);My$remote=$socket _map{$client};$ioset-Remove($client);$ioset-Remove($remote);Delete$socket _map{$client};Delete$socket _map{$remote};$client-Close;$remote-Close;Print"Connection from $client _ip closed.\n"If$debug;}SubClient_ip{My$client=Shift;ReturnInet_ntoa($client-Sockaddr);}SubClient_allowed{My$client=Shift;My$client _ip=Client_ip($client);ReturnGrep{$_eq$client _ip}@allowed_ips;}Print"Starting a server on 0.0.0.0:1080\n";My$server=New_server(' 0.0.0.0 ',1080);$ioset-Add($server);While(1){ForMy$socket($ioset-Can_read){If($socket==$server){New_connection($server);}Else{NextUnlessExists$socket _map{$socket};My$remote=$socket _map{$socket};my $buffer my $read = $socket ->sysread ( $buffer 4096 ); if ( $read ) {$ Remote->syswrite ( $buffer ) ; } else {close_connection ( $socket } } }} /span>
To use it, you'll have the "make a" change to the previous configuration. Instead of running SSH SOCKS5 proxy on 0.0.0.0:1080
, you'll need to run it on localhost:55555
,
Ssh-f-n-d 55555 localhost
After that, run tcp-proxy.pl
the,
Perl tcp-proxy.pl &
The TCP proxy would start listening on and would redirect only the 0.0.0.0:1080
allowed IPs in @allowed_ips
list to localhost:55555
.
Another possibility is to use another computer instead of your own as Exit node. What I mean are you can do the following:
Ssh-f-n-d other_computer.com
This would set up a SOCKS5 proxy on if you use localhost:1080
it, SSH would automatically tunnel your requests (encrypted) via other_computer.com
. This is the "can hide" doing on the Internet from anyone who might is sniffing your link. They would see that your ' re doing something but the traffic would be is encrypted so they won ' t being able to tell what do you ' re doin G.
That ' s it. You ' re now the proxy king!
Download tcp-proxy.pl
Download link:tcp Proxy (tcp-proxy.pl)
Download URL:http://www.catonmat.net/download/tcp-proxy.pl
downloaded:6035 Times
I also pushed the tcp-proxy.pl to github:tcp-proxy.pl on GitHub. This project is also pretty nifty to generalize and make a program the redirects between any number of hosts:ports, not J UST.
PS. I'll probably also write "a definitive guide to SSH port forwarding" some time in the future because it ' s A N Interesting but little understood topic.
Turn any Linux computer to SOCKS5 proxy in one command