A sample dante SOCKS config

Version 1
    Share:|

    Everyone knows what its like to come across something new that you know many others have done before you, but you still feel like you have to research it all from scratch.  Need a dante SOCKS proxy?  Look no further.

     

     

    A SOCKS service provides a method to proxy all socket connections down a single port.  From a security perspective this means that fewer ports are required on the client firewalls.

     

    {install dante RPM and pre-requisit}

     

    [root@ aServerHost home]# rpm -ivh miniupnpc-1.4.el5.rf.i386.rpm

    warning: miniupnpc-1.4.el5.rf.i386.rpm: Header V3 DSA signature: NOKEY, key ID 6b8d79e6

    1. Preparing...                ########################################### [100%]

       1:miniupnpc              ########################################### [100%]

    [root@ aServerHost home]# rpm - ivh dante-1.2.3-1.el5.rf.i386.rpm

    warning: dante-1.2.3-1.el5.rf.i386.rpm: Header V3 DSA signature: NOKEY, key ID 6b8d79e6

    1. Preparing...                ########################################### [100%]

       1:dante                  ########################################### [100%]

    [root@ aServerHost home]# rpm - ivh dante-server-1.2.3-1.el5.rf.i386.rpm

    warning: dante-server-1.2.3-1.el5.rf.i386.rpm: Header V3 DSA signature: NOKEY, key ID 6b8d79e6

    1. Preparing...                ########################################### [100%]

       1:dante-server           ########################################### [100%]

    [root@ aServerHost home]#

     

    {Configure sockd.conf}

     

    [root@aServerHost tmp]# vi /etc/sockd.conf

    ## general configuration (taken from FAQ; <URL:http://www.inet.no/dante/FAQ>)

     

    1. timeout.io: 0
    2. timeout.negotiate: 0

    internal: eth0 port = 1080

    external: eth0

    #external: eth1

    method: none

    #user.privileged: root

    #user.unprivileged: nobody

    logoutput: syslog

    debug: 9

     

    ## client access rules

     

    client pass { from: eth0 to: eth1 } # address-range on internal nic.

     

    client pass {

            from: 0.0.0.0/0 port 1-65535 to: 0.0.0.0/0

            log: connect error

    }

     

    pass {

            from: 0.0.0.0/0 to: 0.0.0.0/0 port = 4750

            proxyprotocol: socks_v5

            log: connect error

    }

     

    pass {

            from: 0.0.0.0/0 to: 0.0.0.0/0 port = 22

            proxyprotocol: socks_v5

            log: connect error

    }

     

    block {

            from: 0.0.0.0/0 to: 0.0.0.0/0

            log: connect error

    }

     

    ## server operation access rules

     

    # block connections to localhost, or they will appear to come from the proxy.

    block { from: 0.0.0.0/0 to: lo log: connect }

     

    ## Allow SOCKS server to connect to any host on port 4750 (BladeLogic agent port)

    pass {

      from: 146.105.32.224/32 to: 0.0.0.0/0 port 4750-4750 }

     

    pass {

      from: 146.105.32.226/32 to: 0.0.0.0/0 port 4750-4750 }

     

    block {

      from: 0.0.0.0/0 to: 0.0.0.0/0

      log: connect error

    }

     

    {configure IPTables}

     

    IPTables is use to support the SSL port connection or BMI call back from the client server (to be provisioned) to the application server over port 9831.  Servers to be provisionined should be configured to use the IPTables server host as the BMI call back address.  The configuration shown will forward port 9831 requests to the application server in the Core Infrastructure environment.

     

    [root@aServerHost tmp]# vi /etc/sysconfig/iptables

    # Generated by iptables-save v1.3.5 on Thu Jul 15 13:57:07 2010

    *nat

    :PREROUTING ACCEPT [0:0]

    :POSTROUTING ACCEPT [2:148]

    :OUTPUT ACCEPT [2:148]

    -A PREROUTING -d 10.190.11.11 -p tcp -m tcp --dport 9831 -j DNAT --to-destination 146.105.32.224:9831

    -A POSTROUTING -d 146.105.32.224 -p tcp -m tcp --dport 9831 -j SNAT --to-source 10.190.11.11

    -A OUTPUT -d 10.190.11.11 -p tcp -m tcp --dport 9831 -j DNAT --to-destination 146.105.32.224:9831

    COMMIT

    *filter

    :INPUT ACCEPT [0:0]

    :FORWARD ACCEPT [0:0]

    :OUTPUT ACCEPT [0:0]

    COMMIT

     

    In addition to the IPtables configuration, the following changes are required to the files noted in the table.

     

    File

    Setting

    /etc/security/limits.conf

    * - nofiles 65535

    /etc/sockd.conf

    1. timeout.io: 0
      timeout.negotiate: 0

    /etc/sysctl.conf

    1. net.ipv4.tcp_keepalive_time = 300
      net.ipv4.tcp_keepalive_intvl = 1
      net.ipv4.tcp_keepalive_probes = 10
    2. net.ipv4.ip_forward = 1