Monday, October 23, 2006

Gentoo Linux HOWTO configure a SOCKS proxy server

Inspired by my wife's difficulty connecting to the internet due to new security policies at her organization, I decided to try a proxy to allow her to use Windows Live Messenger.


The Linux SOCKS proxy server implementation these days is made under the name DANTE. Their site is here.

In Gentoo it is in our Portage Tree so the step-by-step is here:

  • emerge dante
  • edit the config file (/etc/socks/sockd.conf). Open that file in your favorite editor
    It is in this file logging is enabled via the syslog mechanism and internal and external addresses are bound. Whereas the internal bindings include a port specification, the external one does not.
    The comments are well formed I'd also spend a little time looking them over.

    The details:
    logoutput: syslog

    internal: eth1 port = 1080
    internal: 127.0.0.1 port = 1080

    external: 1.2.3.4
    # or
    external: eth0
    To achieve full access (no username/password).
    method: username none

    # Not using authentication, so unnecessary
    #user.privileged: proxy

    user.notprivileged: nobody
    The access controls for sockd daemon are last. They are checked against in the order they appear in the configuration file. Notice, don't open your proxy server to the wild world - you've been warned.

    The first three directives control which IP ranges that have accesss to the server.
    - The from: is were the details of the IPs are added. In my cause it is the IP space the clients live in.
    - The to: option is one of the IPs the proxy server is bound to that the given IP range can speak to. It is set to the addresses Dante/sockd is listening on.
    The last of the three drops any requests that don't match either of the first two directives. 

    client pass {
    from:  192.168.0.0/16 port 1-65535 to: 0.0.0.0/0
    }

    client pass {
    from:  127.0.0.0/8 port 1-65535 to: 0.0.0.0/0
    }

    client block {
    from:  0.0.0.0/0 to: 0.0.0.0/0
    log: connect error
    }
    The next four configuration points control who 'routing'.
    - Requests from anywhere to the loopback addresses are dropped.
    - From the loopback addresses and 192.168.0.0/16 are allowed to communicated over tcp or udp protocols.
    - Finally, drop everything else. 
    block {
    from:  0.0.0.0/0 to: 127.0.0.0/8
    log: connect error
    }

    pass {
    from:  192.168.0.0/16 to: 0.0.0.0/0
    protocol: tcp udp
    }

    pass {
    from:  127.0.0.0/8 to: 0.0.0.0/0
    protocol: tcp udp
    }

    block {
    from:  0.0.0.0/0 to: 0.0.0.0/0
    log: connect error
    }
  • Start Dante/sockd. 
    sockd -V // this verifies configuration and exits
    sockd -d // this enables debugging to the console.
    That will start Dante in debugging mode.

The help page for your reference
localhost ~ # sockd -h
sockd: usage: sockd [-DLNVdfhnv]
-D : run in daemon mode
-L : shows the license for this program
-N : fork of servers [1]
-V : verify configuration and exit
-d : enable debugging
-f <filename> : use <filename> as configuration file [/etc/socks/sockd.conf]
-h : print this information
-n : disable TCP keep-alive
-v : print version info

if you'd like sockd to start on the default runlevel:
rc-update add sockd default

Next would be configuring your browser and test this. Using IE configure it to use a proxy server and enter the server name port (1080), close the browser. Restart the browser and request a page. If it works, then great move on. Otherwise you'll start to debug (inspection of /var/log/* time).



Posted by Paul Cooley at 8:09:00 PM

1 comment:

alex smith said...

I just signed up but the order process was very pleasant. I was able to inquire regarding the order status via skype right away and Phil and Alik were extremely helpful. It's a good start so far. Thanks to vpn

6:41 AM

Post a Comment

Subscribe to: Post Comments (Atom)