This article will be interesting for those who didn't know it already -- you can turn any Linux computer into a SOCKS5 (and SOCKS4) proxy in just one command:
ssh -N -D 0.0.0.0:1080 localhostAnd it doesn't require root privileges. The
ssh
command starts up dynamic -D
port forwarding on port 1080
and talks to the clients via SOCSK5 or SOCKS4 protocols, just like a regular SOCKS5 proxy would! The -N
option makes sure ssh stays idle and doesn't execute any commands on localhost.If you also wish the command to go into background as a daemon, then add
-f
option:ssh -f -N -D 0.0.0.0:1080 localhostTo use it, just make your software use SOCKS5 proxy on your Linux computer's IP, port 1080, and you're done, all your requests now get proxied.
Access control can be implemented via
iptables
. For example, to allow only people from the ip 1.2.3.4
to use the SOCKS5 proxy, add the following iptables
rules:iptables -A INPUT --src 1.2.3.4 -p tcp --dport 1080 -j ACCEPT iptables -A INPUT -p tcp --dport 1080 -j REJECTThe first rule says, allow anyone from
1.2.3.4
to connect to port 1080
, and the other rule says, deny everyone else from connecting to port 1080
.Surely, executing
iptables
requires root privileges. If you don't have root privileges, and you don't want to leave your proxy open (and you really don't want to do that), you'll have to use some kind of a simple TCP proxy wrapper to do access control.Here, I wrote one in Perl. It's called
tcp-proxy.pl
and it uses IO::Socket::INET
to abstract sockets, and IO::Select
to do connection multiplexing.#!/usr/bin/perl
#
use warnings;
use strict;
use IO::Socket::INET;
use IO::Select;
my @allowed_ips = ('1.2.3.4', '5.6.7.8', '127.0.0.1', '192.168.1.2');
my $ioset = IO::Select->new;
my %socket_map;
my $debug = 1;
sub new_conn {
my ($host, $port) = @_;
return IO::Socket::INET->new(
PeerAddr => $host,
PeerPort => $port
) || die "Unable to connect to $host:$port: $!";
}
sub new_server {
my ($host, $port) = @_;
my $server = IO::Socket::INET->new(
LocalAddr => $host,
LocalPort => $port,
ReuseAddr => 1,
Listen => 100
) || die "Unable to listen on $host:$port: $!";
}
sub new_connection {
my $server = shift;
my $client = $server->accept;
my $client_ip = client_ip($client);
unless (client_allowed($client)) {
print "Connection from $client_ip denied.\n" if $debug;
$client->close;
return;
}
print "Connection from $client_ip accepted.\n" if $debug;
my $remote = new_conn('localhost', 55555);
$ioset->add($client);
$ioset->add($remote);
$socket_map{$client} = $remote;
$socket_map{$remote} = $client;
}
sub close_connection {
my $client = shift;
my $client_ip = client_ip($client);
my $remote = $socket_map{$client};
$ioset->remove($client);
$ioset->remove($remote);
delete $socket_map{$client};
delete $socket_map{$remote};
$client->close;
$remote->close;
print "Connection from $client_ip closed.\n" if $debug;
}
sub client_ip {
my $client = shift;
return inet_ntoa($client->sockaddr);
}
sub client_allowed {
my $client = shift;
my $client_ip = client_ip($client);
return grep { $_ eq $client_ip } @allowed_ips;
}
print "Starting a server on 0.0.0.0:1080\n";
my $server = new_server('0.0.0.0', 1080);
$ioset->add($server);
while (1) {
for my $socket ($ioset->can_read) {
if ($socket == $server) {
new_connection($server);
}
else {
next unless exists $socket_map{$socket};
my $remote = $socket_map{$socket};
my $buffer;
my $read = $socket->sysread($buffer, 4096);
if ($read) {
$remote->syswrite($buffer);
}
else {
close_connection($socket);
}
}
}
}
0.0.0.0:1080
, you'll need to run it on localhost:55555
,ssh -f -N -D 55555 localhostAfter that, run the
tcp-proxy.pl
,perl tcp-proxy.pl &The TCP proxy will start listening on
0.0.0.0:1080
and will redirect only the allowed IPs in @allowed_ips
list to localhost:55555
.Another possibility is to use another computer instead of your own as exit node. What I mean is you can do the following:
ssh -f -N -D 1080 other_computer.comThis will set up a SOCKS5 proxy on
localhost:1080
but when you use it, ssh will automatically tunnel your requests (encrypted) via other_computer.com
. This way you can hide what you're doing on the Internet from anyone who might be sniffing your link. They will see that you're doing something but the traffic will be encrypted so they won't be able to tell what you're doing.That's it. You're now the proxy king!
Download tcp-proxy.pl
Download link: tcp proxy (tcp-proxy.pl)Download URL:
http://www.catonmat.net/download/tcp-proxy.pl
Downloaded: 1791 times
I also pushed the tcp-proxy.pl to GitHub: tcp-proxy.pl on GitHub. This project is also pretty nifty to generalize and make a program that redirects between any number of hosts:ports, not just two。
from http://www.catonmat.net/blog/linux-socks5-proxy/
没全看懂
No comments:
Post a Comment