Turn any Linux computer into SOCKS5 proxy in one command

简介: src: http://www.catonmat.net/blog/linux-socks5-proxy/ I thought I'd do a shorter article on catonmat this time.

 

src: http://www.catonmat.net/blog/linux-socks5-proxy/

I thought I'd do a shorter article on catonmat this time. It goes hand in hand with my upcoming article series on "100% technical guide to anonymity" and it's much easier to write larger articles in smaller pieces. Then I can edit them together and produce the final article.

This article will be interesting for those who didn't know it already -- you can turn any Linux computer into a SOCKS5 (and SOCKS4) proxy in just one command:

ssh -N -D 0.0.0.0:1080 localhost

And it doesn't require root privileges. The ssh command starts up dynamic -D port forwarding on port1080 and talks to the clients via SOCSK5 or SOCKS4 protocols, just like a regular SOCKS5 proxy would! The -N option makes sure ssh stays idle and doesn't execute any commands on localhost.

If you also wish the command to go into background as a daemon, then add -f option:

ssh -f -N -D 0.0.0.0:1080 localhost

To use it, just make your software use SOCKS5 proxy on your Linux computer's IP, port 1080, and you're done, all your requests now get proxied.

Access control can be implemented via iptables. For example, to allow only people from the ip1.2.3.4 to use the SOCKS5 proxy, add the following iptables rules:

iptables -A INPUT --src 1.2.3.4 -p tcp --dport 1080 -j ACCEPT
iptables -A INPUT -p tcp --dport 1080 -j REJECT

The first rule says, allow anyone from 1.2.3.4 to connect to port 1080, and the other rule says, deny everyone else from connecting to port 1080.

Surely, executing iptables requires root privileges. If you don't have root privileges, and you don't want to leave your proxy open (and you really don't want to do that), you'll have to use some kind of a simple TCP proxy wrapper to do access control.

Here, I wrote one in Perl. It's called tcp-proxy.pl and it uses IO::Socket::INET to abstract sockets, and IO::Select to do connection multiplexing.

#!/usr/bin/perl
#

use warnings;
use strict; use IO::Socket::INET; use IO::Select; my @allowed_ips = ('1.2.3.4', '5.6.7.8', '127.0.0.1', '192.168.1.2'); my $ioset = IO::Select->new; my %socket_map; my $debug = 1; sub new_conn { my ($host, $port) = @_; return IO::Socket::INET->new( PeerAddr => $host, PeerPort => $port ) || die "Unable to connect to $host:$port: $!"; } sub new_server { my ($host, $port) = @_; my $server = IO::Socket::INET->new( LocalAddr => $host, LocalPort => $port, ReuseAddr => 1, Listen => 100 ) || die "Unable to listen on $host:$port: $!"; } sub new_connection { my $server = shift; my $client = $server->accept; my $client_ip = client_ip($client); unless (client_allowed($client)) { print "Connection from $client_ip denied.\n" if $debug; $client->close; return; } print "Connection from $client_ip accepted.\n" if $debug; my $remote = new_conn('localhost', 55555); $ioset->add($client); $ioset->add($remote); $socket_map{$client} = $remote; $socket_map{$remote} = $client; } sub close_connection { my $client = shift; my $client_ip = client_ip($client); my $remote = $socket_map{$client}; $ioset->remove($client); $ioset->remove($remote); delete $socket_map{$client}; delete $socket_map{$remote}; $client->close; $remote->close; print "Connection from $client_ip closed.\n" if $debug; } sub client_ip { my $client = shift; return inet_ntoa($client->sockaddr); } sub client_allowed { my $client = shift; my $client_ip = client_ip($client); return grep { $_ eq $client_ip } @allowed_ips; } print "Starting a server on 0.0.0.0:1080\n"; my $server = new_server('0.0.0.0', 1080); $ioset->add($server); while (1) { for my $socket ($ioset->can_read) { if ($socket == $server) { new_connection($server); } else { next unless exists $socket_map{$socket}; my $remote = $socket_map{$socket}; my $buffer; my $read = $socket->sysread($buffer, 4096); if ($read) { $remote->syswrite($buffer); } else { close_connection($socket); } } } } 

To use it, you'll have to make a change to the previous configuration. Instead of running ssh SOCKS5 proxy on 0.0.0.0:1080, you'll need to run it on localhost:55555,

ssh -f -N -D 55555 localhost

After that, run the tcp-proxy.pl,

perl tcp-proxy.pl &

The TCP proxy will start listening on 0.0.0.0:1080 and will redirect only the allowed IPs in@allowed_ips list to localhost:55555.

Another possibility is to use another computer instead of your own as exit node. What I mean is you can do the following:

ssh -f -N -D 1080 other_computer.com

This will set up a SOCKS5 proxy on localhost:1080 but when you use it, ssh will automatically tunnel your requests (encrypted) via other_computer.com. This way you can hide what you're doing on the Internet from anyone who might be sniffing your link. They will see that you're doing something but the traffic will be encrypted so they won't be able to tell what you're doing.

That's it. You're now the proxy king!

Download tcp-proxy.pl

Download link: tcp proxy (tcp-proxy.pl)
Download URL: http://www.catonmat.net/download/tcp-proxy.pl
Downloaded: 6035 times

I also pushed the tcp-proxy.pl to GitHub: tcp-proxy.pl on GitHub. This project is also pretty nifty to generalize and make a program that redirects between any number of hosts:ports, not just two.

PS. I will probably also write "A definitive guide to ssh port forwarding" some time in the future because it's an interesting but little understood topic.

目录
相关文章
|
7月前
|
Shell Linux
【Linux】Pass arguments into a function(一)
【Linux】Pass arguments into a function
55 0
|
关系型数据库 MySQL Shell
【Linux命令】-bash: mysql: command not found
【Linux命令】-bash: mysql: command not found
140 0
|
4月前
|
安全 算法 网络协议
【在Linux世界中追寻伟大的One Piece】HTTPS协议原理
【在Linux世界中追寻伟大的One Piece】HTTPS协议原理
50 2
|
4月前
|
Linux Shell 调度
【在Linux世界中追寻伟大的One Piece】Linux进程概念
【在Linux世界中追寻伟大的One Piece】Linux进程概念
42 1
|
4月前
|
缓存 Linux Shell
【在Linux世界中追寻伟大的One Piece】Linux进程控制
【在Linux世界中追寻伟大的One Piece】Linux进程控制
34 0
|
6月前
|
Ubuntu Linux 数据安全/隐私保护
Linux Ubuntu crontab 添加错误 提示:no crontab for root - using an empty one 888
Linux Ubuntu crontab 添加错误 提示:no crontab for root - using an empty one 888
134 3
|
5月前
|
Linux
Linux02---命令基础 Linux命令基础, ls命令入门,ls命令参数和选项,命令行是一种以纯字符操作系统的方式,command命令本身,options命令的细节行为,parameter命令的
Linux02---命令基础 Linux命令基础, ls命令入门,ls命令参数和选项,命令行是一种以纯字符操作系统的方式,command命令本身,options命令的细节行为,parameter命令的
|
6月前
|
Ubuntu Unix Linux
【在Linux世界中追寻伟大的One Piece】Linux是从哪里来的?又是怎么发展的?基本指令你知道哪些?
【在Linux世界中追寻伟大的One Piece】Linux是从哪里来的?又是怎么发展的?基本指令你知道哪些?
29 0
|
Ubuntu Linux 数据安全/隐私保护
Linux Ubuntu crontab 添加错误 提示:no crontab for root - using an empty one 888
错误提示: no crontab for root - using an empty one 888
668 1
Linux Ubuntu crontab 添加错误 提示:no crontab for root - using an empty one 888
|
7月前
|
Linux Shell
mac/linux提示bash: telnet: command not found
mac/linux提示bash: telnet: command not found