|
1, dante(部分):
我感觉这个dante基本上是LINUX最好用的sock5代理软件了,并且是免费的, 我们一至在用,感觉还可以。
1. Introduction Dante is a network proxyserver. It allows you to have one point of access for all kinds of network-traffic like ftp, irc or icq. 2. Useful resources The homepage for Dante http://www.inet.no/dante/ 3. Getting the packages / Install Some GNU/Linux-distro come with a pre-installed package but I prefer the manual way, compile it from source. Download the latest sourcefile from their website and unpack it with tar zxvf dante.tar.gz Now move to the directory and run the configure script without options, afterwards run make, make check and make install : cd dante ./configure make make check su - make install (一定要创建sockd这个用户. 和创建 mkdir /var/log/sockd/)
This should give you no problesm. After the installation add a user and a group sockd to the system. 4. Configuration I'm only going to cover a 'basic' installation. More information is provided on the Dante homepage. Danta uses a configuration file, /etc/sockd.conf that mainly consists of two parts : the general settings and the rules-department. So open up /etc/sockd.conf with your favorite editor and add this :
logoutput: /var/log/sockd/sockd internal: eth0 port = 1080 external: eth1 method: none username pam
clientmethod: none user.libwrap: libwrap
#user.privileged: sockd user.notprivileged: sockd connecttimeout: 30
logoutput will output all events to /var/log/sockd/sockd
internal and external set up where and how Danta will listen on the network-socket. You can use either the interface-name or the ip-address.
method and clientmethod define how authentication is handled.
As we've mentioned above, you need to add a user and group sockd to the system. Dante will run under the user specified by user.notprivileged.
With connecttimeout you define (in seconds) how quickly the connection is closed.
The second part of the config file is the rules-set. I'm not going to cover every rule. The examples below should make things clear(er). # Allow everyone from my LAN client pass { from: 192.168.0.0/24 port 1-65535 to: 0.0.0.0/0 log: connect disconnect } # Block everyone else
client block { from: 0.0.0.0/0 to: 0.0.0.0/0 log: connect error } # Block everyone connection to lo
block { from: 0.0.0.0/0 to: 127.0.0.0/8 log: connect error } # Block subnet 172.16.0.0/32
block { from: 0.0.0.0/0 to: 172.16.0.0/12 log: connect error } # Allow replys to bind and incoming udo pass { from: 0.0.0.0/0 to: 192.168.0.0/24 command: bindreply udpreply log: connect error } # Allow tcp and upd connections from our lan to everywhere
pass { from: 192.168.0.0/24 to: 0.0.0.0/0 protocol: tcp udp log: error } # Log all the rest
block { from: 0.0.0.0/0 to: 0.0.0.0/0 log: connect error } 我的最后的配置文件 logoutput: /var/log/sockd/sockd internal: eth0 port = 1080 external: eth0 method: username
clientmethod: none user.libwrap: sockd
user.privileged: root user.notprivileged: sockd connecttimeout: 300
## client access rules
client pass {
from: 0.0.0.0/0 to: 0.0.0.0/0 log: connect disconnect } ## server operation access rules #allow bind to ports greater than 1023
pass { from: 0.0.0.0/0 to: 0.0.0.0/0 port gt 1023 # command: bind command: bind bindreply connect udpassociate udpreply log: connect disconnect } #allow outgoing connections (tcp and udp)
pass { from: 0.0.0.0/0 to: 0.0.0.0/0 # command: connect udpassociate command: bind bindreply connect udpassociate udpreply log: connect disconnect } #allow replies to bind, and incoming udp packets
pass { from: 0.0.0.0/0 to: 0.0.0.0/0 # command: bindreply udpreply command: bind bindreply connect udpassociate udpreply log: connect error } #log the rest
block { from: 0.0.0.0/0 to: 0.0.0.0/0 log: connect error } 5. Starting and stopping When you install from source, there's no init-script provided. You can use the one below : #!/bin/sh . /etc/rc.d/init.d/functions . /etc/sysconfig/network # Check that networking is up. [ ${NETWORKING} = "no" ] && exit 0 [ -f /usr/local/sbin/sockd ] || exit 0
[ ! -f /etc/sockd.conf ] && exit 1
SOCKD_C case "$1" in
start) # Start daemons. echo -n "Starting sockd: " daemon /usr/local/sbin/sockd -D $SOCKD_CONF echo touch /var/lock/subsys/sockd ;; stop) # Stop daemons. echo -n "Shutting down sockd: " killproc sockd echo rm -f /var/lock/subsys/sockd ;; restart) $0 stop $0 start ;; status) status sockd ;; *) echo -n "Usage: sockd {start|stop|restart|status}\n" exit 1 esac exit 0 6. LogrotationAfter a while your socks-logs will get filled with connection attempts and errors. To keep them organised you should rotate them frequently. The built-in GNU/Linux logrotater can do the trick but eventually you will run into troubles with the file-locking. As an alternative you could use this script and add it to /etc/cron.weekly #!/bin/sh
DAY=`date +%d-%B-%Y`
cp /var/log/sockd/sockd /var/log/sockd/sockd.${DAY} echo > /var/log/sockd/sockd 这是可以改成每天 |
