src: http://www.catonmat.net/blog/linux-socks5-proxy/

I thought I'd do a shorter article on catonmat this time. It goes hand in hand with my upcoming article series on "100% technical guide to anonymity" and it's much easier to write larger articles in smaller pieces. Then I can edit them together and produce the final article.

This article will be interesting for those who didn't know it already -- you can turn any Linux computer into a SOCKS5 (and SOCKS4) proxy in just one command:

ssh -N -D 0.0.0.0:1080 localhost

And it doesn't require root privileges. The ssh command starts up dynamic -D port forwarding on port1080 and talks to the clients via SOCSK5 or SOCKS4 protocols, just like a regular SOCKS5 proxy would! The -N option makes sure ssh stays idle and doesn't execute any commands on localhost.

If you also wish the command to go into background as a daemon, then add -f option:

ssh -f -N -D 0.0.0.0:1080 localhost

To use it, just make your software use SOCKS5 proxy on your Linux computer's IP, port 1080, and you're done, all your requests now get proxied.

Access control can be implemented via iptables. For example, to allow only people from the ip1.2.3.4 to use the SOCKS5 proxy, add the following iptables rules:

iptables -A INPUT --src 1.2.3.4 -p tcp --dport 1080 -j ACCEPT
iptables -A INPUT -p tcp --dport 1080 -j REJECT

The first rule says, allow anyone from 1.2.3.4 to connect to port 1080, and the other rule says, deny everyone else from connecting to port 1080.

Surely, executing iptables requires root privileges. If you don't have root privileges, and you don't want to leave your proxy open (and you really don't want to do that), you'll have to use some kind of a simple TCP proxy wrapper to do access control.

Here, I wrote one in Perl. It's called tcp-proxy.pl and it uses IO::Socket::INET to abstract sockets, and IO::Select to do connection multiplexing.

#!/usr/bin/perl
# use warnings;
use strict; use IO::Socket::INET;
use IO::Select; my @allowed_ips = ('1.2.3.4', '5.6.7.8', '127.0.0.1', '192.168.1.2');
my $ioset = IO::Select->new;
my %socket_map; my $debug = 1; sub new_conn {
my ($host, $port) = @_;
return IO::Socket::INET->new(
PeerAddr => $host,
PeerPort => $port
) || die "Unable to connect to $host:$port: $!";
} sub new_server {
my ($host, $port) = @_;
my $server = IO::Socket::INET->new(
LocalAddr => $host,
LocalPort => $port,
ReuseAddr => 1,
Listen => 100
) || die "Unable to listen on $host:$port: $!";
} sub new_connection {
my $server = shift;
my $client = $server->accept;
my $client_ip = client_ip($client); unless (client_allowed($client)) {
print "Connection from $client_ip denied.\n" if $debug;
$client->close;
return;
}
print "Connection from $client_ip accepted.\n" if $debug; my $remote = new_conn('localhost', 55555);
$ioset->add($client);
$ioset->add($remote); $socket_map{$client} = $remote;
$socket_map{$remote} = $client;
} sub close_connection {
my $client = shift;
my $client_ip = client_ip($client);
my $remote = $socket_map{$client}; $ioset->remove($client);
$ioset->remove($remote); delete $socket_map{$client};
delete $socket_map{$remote}; $client->close;
$remote->close; print "Connection from $client_ip closed.\n" if $debug;
} sub client_ip {
my $client = shift;
return inet_ntoa($client->sockaddr);
} sub client_allowed {
my $client = shift;
my $client_ip = client_ip($client);
return grep { $_ eq $client_ip } @allowed_ips;
} print "Starting a server on 0.0.0.0:1080\n";
my $server = new_server('0.0.0.0', 1080);
$ioset->add($server); while (1) {
for my $socket ($ioset->can_read) {
if ($socket == $server) {
new_connection($server);
}
else {
next unless exists $socket_map{$socket};
my $remote = $socket_map{$socket};
my $buffer;
my $read = $socket->sysread($buffer, 4096);
if ($read) {
$remote->syswrite($buffer);
}
else {
close_connection($socket);
}
}
}
}

To use it, you'll have to make a change to the previous configuration. Instead of running ssh SOCKS5 proxy on 0.0.0.0:1080, you'll need to run it on localhost:55555,

ssh -f -N -D 55555 localhost

After that, run the tcp-proxy.pl,

perl tcp-proxy.pl &

The TCP proxy will start listening on 0.0.0.0:1080 and will redirect only the allowed IPs in@allowed_ips list to localhost:55555.

Another possibility is to use another computer instead of your own as exit node. What I mean is you can do the following:

ssh -f -N -D 1080 other_computer.com

This will set up a SOCKS5 proxy on localhost:1080 but when you use it, ssh will automatically tunnel your requests (encrypted) via other_computer.com. This way you can hide what you're doing on the Internet from anyone who might be sniffing your link. They will see that you're doing something but the traffic will be encrypted so they won't be able to tell what you're doing.

That's it. You're now the proxy king!

Download tcp-proxy.pl

Download link: tcp proxy (tcp-proxy.pl)
Download URL: http://www.catonmat.net/download/tcp-proxy.pl
Downloaded: 6035 times

I also pushed the tcp-proxy.pl to GitHub: tcp-proxy.pl on GitHub. This project is also pretty nifty to generalize and make a program that redirects between any number of hosts:ports, not just two.

PS. I will probably also write "A definitive guide to ssh port forwarding" some time in the future because it's an interesting but little understood topic.

Turn any Linux computer into SOCKS5 proxy in one command的更多相关文章

  1. 配置Linux客户端使用socks5代理上网

    配置Linux客户端使用socks5代理上网   背景 有访问google或者其他海外网站需求的同学可能大都用过或者听过ss,在Windows.Mac.Android.IOS都有现成可用的客户端来协助 ...

  2. 〖Linux〗转换Socks Proxy为Http Proxy

    使用工具,privoxy,官网: http://www.privoxy.org/ socks5 proxy设定方法: autossh -CgNfD  0.0.0.0:1080 vps-lxb sock ...

  3. Socks5代理Socks5 Proxy

    Socks5代理Socks5 Proxy   Socks5代理是基于Socks协议的一种代理模式.其中,5表示该协议的版本号.它可以让局域网的计算机通过socks5代理服务器,访问外网的内容.由于它工 ...

  4. linux设置http/https proxy及忽略proxy的方法

    msys2设置网络代理 在文件 .bashrc 中添加 export http_proxy="proxy IP:port" 如 export http_proxy="19 ...

  5. Linux / UNIX create soft link with ln command

    How to: Linux / UNIX create soft link with ln command by NIXCRAFT on SEPTEMBER 25, 2007 · 42 COMMENT ...

  6. linux centos cli all proxy

    linux centos 下代理http.https.ftp.all_proxy 全局使用代理: export http_proxy=http://host:port/ export https_pr ...

  7. 转-linux下配置socks5代理

    简介: 在Linux下有各种各样的代理程序可用,象最常用的Squid,是http/https代理,也能代理ftp请求,但它实际上 是个HTTP代理程序,不是ftp代理,但它能处理ftp代理请求,就象浏 ...

  8. [转]linux terminal中使用proxy

    转自:http://www.cnblogs.com/JoJosBizarreAdventure/p/5892383.html 在linux terminal中使用代理 方法一: terminal中输入 ...

  9. 〖Linux〗Ubuntu设定Proxy及忽略Proxy

    1. 设定代理:. ~/.proxyenv #!/bin/sh # for terminal export proxyserveraddr=123.123.123.123 export proxyse ...

随机推荐

  1. apache、nginx、php、mysql 编译参数查询

    nginx编译参数查看:/usr/local/nginx/sbin/nginx -V apache编译参数查看:cat /usr/local/apache2/build/config.nice mys ...

  2. 洛谷 P2639 [USACO09OCT]Bessie的体重问题Bessie's We… 题解

    题目传送门 这也是个01背包,只是装的很... #include<bits/stdc++.h> #define MAXN 45010 using namespace std; int f[ ...

  3. jquery 获取某a标签的href地址 实现页面加载时跳转

    jQuery(document).ready(function(){if(jQuery("#zzjg a").length>0){var hrefValue = jQuery ...

  4. centos6.5挂载windows共享的文件夹

    参考:http://www.centoscn.com/CentOS/Intermediate/2014/0318/2619.html http://www.ailab.cn/article/20150 ...

  5. js过滤检测敏感词汇

    html: <textarea rows="10" cols="100" id="myDiv"></textarea> ...

  6. 在 github 中新建仓库后,如何上传文件到这个仓库里面。

    在 github 中新建仓库后,如何上传文件到这个仓库里面. libin@hglibin MINGW64 /e/github.io (master) $ git remote libin@hglibi ...

  7. HDU 5876 Sparse Graph(补图上BFS)

    题目链接:http://acm.hdu.edu.cn/showproblem.php?pid=5876 题意: 有一个 n 个点无向图,再给你 m 对顶点, 代表着这 m 对顶点之间没有边, 除此之外 ...

  8. CodeForces 805C Find Amir

    直觉. 先走$1$走到$n$,然后从$n$走到$2$,然后从$2$走到$n-1$,然后从$n-1$走到$3$.一次花费为$0$,一次花费为$1$. #include <cstdio> #i ...

  9. appengine 云计算。 部署web网络。

    韩梦飞沙  韩亚飞  313134555@qq.com  yue31313  han_meng_fei_sha appengine 可以 不用手动启动像服务器. 在eclipse中 这两个sdk 配好 ...

  10. 「Codechef April Lunchtime 2015」Palindromeness

    「Codechef April Lunchtime 2015」Palindromeness 解题思路 : 考虑对于回文子串 \(s\) 贡献的定义: \[ value_s = [\ s[1,\lflo ...