Turn any Linux computer into SOCKS5 proxy in one command
2014-11-12 12:00
1006 查看
src: http://www.catonmat.net/blog/linux-socks5-proxy/
I thought I'd do a shorter article on catonmat this time. It goes hand in hand with my upcoming article series on "100% technical guide to anonymity" and it's much easier to write larger articles in smaller pieces. Then I can edit them together and produce the final article.
This article will be interesting for those who didn't know it already -- you can turn any Linux computer into a SOCKS5 (and SOCKS4) proxy in just one command:
And it doesn't require root privileges. The
If you also wish the command to go into background as a daemon, then add
To use it, just make your software use SOCKS5 proxy on your Linux computer's IP, port 1080, and you're done, all your requests now get proxied.
Access control can be implemented via
The first rule says, allow anyone from
Surely, executing
Here, I wrote one in Perl. It's called
To use it, you'll have to make a change to the previous configuration. Instead of running ssh SOCKS5 proxy on
After that, run the
The TCP proxy will start listening on
Another possibility is to use another computer instead of your own as exit node. What I mean is you can do the following:
This will set up a SOCKS5 proxy on
That's it. You're now the proxy king!
Download tcp-proxy.pl
Download link: tcp proxy (tcp-proxy.pl)
Download URL:
Downloaded: 6035 times
I also pushed the tcp-proxy.pl to GitHub: tcp-proxy.pl on GitHub. This project is also pretty nifty to generalize and make a program that redirects between any number of hosts:ports, not just two.
PS. I will probably also write "A definitive guide to ssh port forwarding" some time in the future because it's an interesting but little understood topic.
I thought I'd do a shorter article on catonmat this time. It goes hand in hand with my upcoming article series on "100% technical guide to anonymity" and it's much easier to write larger articles in smaller pieces. Then I can edit them together and produce the final article.
This article will be interesting for those who didn't know it already -- you can turn any Linux computer into a SOCKS5 (and SOCKS4) proxy in just one command:
ssh -N -D 0.0.0.0:1080 localhost
And it doesn't require root privileges. The
sshcommand starts up dynamic
-Dport forwarding on port
1080and talks to the clients via SOCSK5 or SOCKS4 protocols, just like a regular SOCKS5 proxy would! The
-Noption makes sure ssh stays idle and doesn't execute any commands on localhost.
If you also wish the command to go into background as a daemon, then add
-foption:
ssh -f -N -D 0.0.0.0:1080 localhost
To use it, just make your software use SOCKS5 proxy on your Linux computer's IP, port 1080, and you're done, all your requests now get proxied.
Access control can be implemented via
iptables. For example, to allow only people from the ip
1.2.3.4to use the SOCKS5 proxy, add the following
iptablesrules:
iptables -A INPUT --src 1.2.3.4 -p tcp --dport 1080 -j ACCEPT iptables -A INPUT -p tcp --dport 1080 -j REJECT
The first rule says, allow anyone from
1.2.3.4to connect to port
1080, and the other rule says, deny everyone else from connecting to port
1080.
Surely, executing
iptablesrequires root privileges. If you don't have root privileges, and you don't want to leave your proxy open (and you really don't want to do that), you'll have to use some kind of a simple TCP proxy wrapper to do access control.
Here, I wrote one in Perl. It's called
tcp-proxy.pland it uses
IO::Socket::INETto abstract sockets, and
IO::Selectto do connection multiplexing.
#!/usr/bin/perl # use warnings; use strict; use IO::Socket::INET; use IO::Select; my @allowed_ips = ('1.2.3.4', '5.6.7.8', '127.0.0.1', '192.168.1.2'); my $ioset = IO::Select->new; my %socket_map; my $debug = 1; sub new_conn { my ($host, $port) = @_; return IO::Socket::INET->new( PeerAddr => $host, PeerPort => $port ) || die "Unable to connect to $host:$port: $!"; } sub new_server { my ($host, $port) = @_; my $server = IO::Socket::INET->new( LocalAddr => $host, LocalPort => $port, ReuseAddr => 1, Listen => 100 ) || die "Unable to listen on $host:$port: $!"; } sub new_connection { my $server = shift; my $client = $server->accept; my $client_ip = client_ip($client); unless (client_allowed($client)) { print "Connection from $client_ip denied.\n" if $debug; $client->close; return; } print "Connection from $client_ip accepted.\n" if $debug; my $remote = new_conn('localhost', 55555); $ioset->add($client); $ioset->add($remote); $socket_map{$client} = $remote; $socket_map{$remote} = $client; } sub close_connection { my $client = shift; my $client_ip = client_ip($client); my $remote = $socket_map{$client}; $ioset->remove($client); $ioset->remove($remote); delete $socket_map{$client}; delete $socket_map{$remote}; $client->close; $remote->close; print "Connection from $client_ip closed.\n" if $debug; } sub client_ip { my $client = shift; return inet_ntoa($client->sockaddr); } sub client_allowed { my $client = shift; my $client_ip = client_ip($client); return grep { $_ eq $client_ip } @allowed_ips; } print "Starting a server on 0.0.0.0:1080\n"; my $server = new_server('0.0.0.0', 1080); $ioset->add($server); while (1) { for my $socket ($ioset->can_read) { if ($socket == $server) { new_connection($server); } else { next unless exists $socket_map{$socket}; my $remote = $socket_map{$socket}; my $buffer; my $read = $socket->sysread($buffer, 4096); if ($read) { $remote->syswrite($buffer); } else { close_connection($socket); } } } }
To use it, you'll have to make a change to the previous configuration. Instead of running ssh SOCKS5 proxy on
0.0.0.0:1080, you'll need to run it on
localhost:55555,
ssh -f -N -D 55555 localhost
After that, run the
tcp-proxy.pl,
perl tcp-proxy.pl &
The TCP proxy will start listening on
0.0.0.0:1080and will redirect only the allowed IPs in
@allowed_ipslist to
localhost:55555.
Another possibility is to use another computer instead of your own as exit node. What I mean is you can do the following:
ssh -f -N -D 1080 other_computer.com
This will set up a SOCKS5 proxy on
localhost:1080but when you use it, ssh will automatically tunnel your requests (encrypted) via
other_computer.com. This way you can hide what you're doing on the Internet from anyone who might be sniffing your link. They will see that you're doing something but the traffic will be encrypted so they won't be able to tell what you're doing.
That's it. You're now the proxy king!
Download tcp-proxy.pl
Download link: tcp proxy (tcp-proxy.pl)
Download URL:
http://www.catonmat.net/download/tcp-proxy.pl
Downloaded: 6035 times
I also pushed the tcp-proxy.pl to GitHub: tcp-proxy.pl on GitHub. This project is also pretty nifty to generalize and make a program that redirects between any number of hosts:ports, not just two.
PS. I will probably also write "A definitive guide to ssh port forwarding" some time in the future because it's an interesting but little understood topic.
相关文章推荐
- the diary for one command application of pipe in Linux
- FIND AND KILL PROCESS BY ONE COMMAND IN LINUX
- Write operations are not allowed in read-only mode (FlushMode.NEVER) - turn your Session into FlushMode.AUTO or remove 'readOnly
- Write operations are not allowed in read-only mode (FlushMode.NEVER) - turn your Session into FlushMode.AUTO or remove 'readOnly
- How to turn on RSH and RLOGIN in Linux?
- How to burn Linux Kernel into nor flash and rootfs in USB stick at Mindspeed c1k
- 15 Practical Grep Command Examples In Linux / UNIX
- Binding multiple IP address in one NIC in linux
- 解决:Write operations are not allowed in read-only mode (FlushMode.MANUAL): Turn your Session into Flu
- VMWARE+linux+ns-allinone-2.29及2.34的安装
- [Tip]Add VS Command Prompt As External Tool Into VS In Case missing it
- Installing MySQL server in linux command
- load-balanceing tomcat with apache use by mod-proxy-ajp in SuSE Linux
- Get and display the size of file and directory in Linux system using du command 获取和现实linux文件大小(三)
- Command history in linux - sqlplus
- 10 command line in Linux
- Write operations are not allowed in read-only mode (FlushMode.NEVER) - turn your Session into FlushMode.AUTO or remove 'readOnly
- Any problem in computer science can be solved with another layer of indirection
- How to install multi OS(Windows/Linux) in one PC box and boot them easily
- Write operations are not allowed in read-only mode (FlushMode.NEVER/MANUAL): Turn your Session into FlushMode.COMMIT/AUTO or rem