- make
- gcc
- g++
To install those two, you can run
apt-get update && apt-get install make gcc g++.
If root privileges are required,
sudo apt-get update && sudo apt-get install make gcc g++.
(Alternatively, you can install the package build-essential)
(Recommended getting newest from http://www.inet.no/dante/download.html)
- use
wget <URL>. For example: usewget http://www.inet.no/dante/files/dante-1.4.3.tar.gz.
- use
tar xvfz <archive filename>. For example: usetar xvfz dante-1.4.3.tar.gz
- Select extracted directory as current location, use
cd <path>. For examplecd dante-1.4.3. - Prepare for build with this command:
./configure --prefix=/usr --sysconfdir=/etc --localstatedir=/var --disable-client --without-libwrap --without-bsdauth --without-gssapi --without-krb5 --without-upnp --without-pam. - Build the source and install compiled source: Use
make && make install. (If root privileges are required,make && sudo make install)
- init.d can be found at:
/etc/init.d/sockd. If the file doesn't exist, create it. - Its content should be like this:
#! /bin/sh
### BEGIN INIT INFO
# Provides: sockd
# Required-Start: $remote_fs $syslog
# Required-Stop: $remote_fs $syslog
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: Start the dante SOCKS server.
# Description: SOCKS (v4 and v5) proxy server daemon (sockd).
# This server allows clients to connect to it and
# request proxying of TCP or UDP network traffic
# with extensive configuration possibilities.
### END INIT INFO
#
# dante SOCKS server init.d file. Based on /etc/init.d/skeleton:
# Version: @(#)skeleton 1.8 03-Mar-1998 [email protected]
# Via: https://gitorious.org/dante/pkg-debian
PATH=/sbin:/usr/sbin:/bin:/usr/bin
NAME=sockd
DAEMON=/usr/sbin/$NAME
DAEMON_ARGS="-D"
PIDFILE=/var/run/$NAME.pid
SCRIPTNAME=/etc/init.d/$NAME
DESC="Dante SOCKS daemon"
CONFFILE=/etc/$NAME.conf
# Exit if the package is not installed
[ -x "$DAEMON" ] || exit 0
# Load the VERBOSE setting and other rcS variables
. /lib/init/vars.sh
# Define LSB log_* functions.
# Depend on lsb-base (>= 3.2-14) to ensure that this file is present
# and status_of_proc is working.
. /lib/lsb/init-functions
set -e
# This function makes sure that the Dante server can write to the pid-file.
touch_pidfile ()
{
if [ -r $CONFFILE ]; then
uid="`sed -n -e 's/[[:space:]]//g' -e 's/#.*//' -e '/^user\.privileged/{s/[^:]*://p;q;}' $CONFFILE`"
if [ -n "$uid" ]; then
touch $PIDFILE
chown $uid $PIDFILE
fi
fi
}
case "$1" in
start)
if ! egrep -cve '^ *(#|$)' \
-e '^(logoutput|user\.((not)?privileged|libwrap)):' \
$CONFFILE > /dev/null
then
echo "Not starting $DESC: not configured."
exit 0
fi
echo -n "Starting $DESC: "
touch_pidfile
start-stop-daemon --start --quiet --pidfile $PIDFILE --exec $DAEMON --test > /dev/null \
|| return 1
start-stop-daemon --start --quiet --pidfile $PIDFILE --exec $DAEMON -- \
$DAEMON_ARGS \
|| return 2
echo "$NAME."
;;
stop)
echo -n "Stopping $DESC: "
start-stop-daemon --stop --quiet --retry=TERM/30/KILL/5 --pidfile $PIDFILE --name $NAME
RETVAL="$?"
[ "$RETVAL" = 2 ] && return 2
start-stop-daemon --stop --quiet --oknodo --retry=0/30/KILL/5 --exec $DAEMON
[ "$?" = 2 ] && return 2
echo "$NAME."
;;
reload|force-reload)
#
# If the daemon can reload its config files on the fly
# for example by sending it SIGHUP, do it here.
#
# If the daemon responds to changes in its config file
# directly anyway, make this a do-nothing entry.
#
echo "Reloading $DESC configuration files."
start-stop-daemon --stop --signal 1 --quiet --pidfile \
$PIDFILE --exec $DAEMON -- -D
;;
restart)
#
# If the "reload" option is implemented, move the "force-reload"
# option to the "reload" entry above. If not, "force-reload" is
# just the same as "restart".
#
echo -n "Restarting $DESC: "
start-stop-daemon --stop --quiet --pidfile $PIDFILE --exec $DAEMON
sleep 1
touch_pidfile
start-stop-daemon --start --quiet --pidfile $PIDFILE \
--exec $DAEMON -- -D
echo "$NAME."
;;
status)
status_of_proc "$DAEMON" "$NAME" && exit 0 || exit $?
;;
*)
N=/etc/init.d/$NAME
# echo "Usage: $N {start|stop|restart|reload|force-reload}" >&2
echo "Usage: $N {start|stop|restart|status|force-reload}" >&2
exit 1
;;
esac
exit 0
- Set permission for the file. Use
chmod +x /etc/init.d/sockd. (If root privileges are required,sudo chmod +x /etc/init.d/sockd) - Update the service list. Use
update-rc.d sockd defaults. (If root privileges are required,sudo update-rc.d sockd defaults)
- Config file is located at:
/etc/sockd.conf. If the file doesn't exist, create it. - Its content should be like:
# listen on... can be an IP or an interface
# If it's an interface, Danted can query all IP addresses of the given interface and then bind to all the found IP addresses including both IPv4 and IPv6 (if IPv6 is available in the interface).
# Otherwise, if specify IPs, you have to specify multiple `internal` config like below comments below:
## internal: 10.0.0.1 port = 1080 # Bind to local network IPv4.
## internal: 192.168.1.2 port = 1080 # Bind to local network IPv4.
## internal: ::1 port = 1080 # Bind to loopback IPv6.
internal: eth0 port = 1080
# send out through... can be an IP or an interface. This `external` config uses same logic as `internal` above. However, it's best to use interface name here.
external: eth0
# for user auth run as this user
user.privileged: root
# otherwise run as this user
user.unprivileged: nobody
# auth with user login, passwd
socksmethod: username
# log to this file
logoutput: /var/log/sockd.log
# IPv4 and IPv6 need block/pass rules for their own. Can't specify IPv4 and IPv6 in one same rule.
# By default, Danted will block everything outside of "pass" rules. But specify them explicitly won't hurt.
# Block all requests to localhost and loopback (IPv4)
socks block { from: 0.0.0.0/0 to: lo log: connect }
socks block { from: 0.0.0.0/0 to: eth0 log: connect }
# Block all requests to localhost and loopback (IPv6)
socks block { from: ::/0 to: lo log: connect }
socks block { from: ::/0 to: eth0 log: connect }
# allow everyone from everywhere to connect to this proxy server so long as it's IPv4 and they auth, log errors
client pass {
from: 0.0.0.0/0 to: 0.0.0.0/0
log: error # connect disconnect iooperation
socksmethod: username
}
# allow everyone from everywhere to connect to this proxy server so long as it's IPv6 and they auth, log errors
client pass {
from: ::/0 to: ::/0
log: error # connect disconnect iooperation
socksmethod: username
}
# allow any `bind`, `connect` and `udpassociate` requests to anywhere so long as they auth and the destination is an IPv4 one
# Logging errors
socks pass {
from: 0.0.0.0/0 to: 0.0.0.0/0
command: bind connect udpassociate
log: error # connect disconnect iooperation
socksmethod: username
}
# allow any `bind`, `connect` and `udpassociate` requests to anywhere so long as they auth and the destination is an IPv6 one
# Logging errors
socks pass {
from: ::/0 to: ::/0
command: bind connect udpassociate
log: error # connect disconnect iooperation
socksmethod: username
}
# generic pass statement for incoming connections/packets
# because something about no support for auth with bindreply udpreply ?
# socks pass {
# from: 0.0.0.0/0 to: 0.0.0.0/0
# command: bindreply udpreply
# log: error # connect disconnect iooperation
# }
- Take note that depending on the machine, it may not be
eth0. Find out which network interface to use throughifconfig. - You can also use an IP address instead of interface name. However, this doesn't work well if the IP isn't a static one as you need to modify the config file each time the IP changes.
- For
internal, using0.0.0.0also works as it implies to bind to all available interfaces on the machine (including localhost). And this should work on every machine. - For
external, it should be your public IP.
- For
Now you can use /etc/init.d/sockd as a service. For example: /etc/init.d/sockd start or /etc/init.d/sockd stop, if root privileges are required, sudo /etc/init.d/sockd start or sudo /etc/init.d/sockd stop.
Make a user with no home or shell just for authing the proxy replace {PASSWORD} and {USER} with the password and the username.
useradd -M -s /usr/sbin/nologin -p $(openssl passwd -1 {PASSWORD}) {USER}if root privileges are required,sudo useradd -M -s /usr/sbin/nologin -p $(openssl passwd -1 {PASSWORD}) {USER}.
-M avoids making a home, -s /usr/sbin/nologin sets the shell to nologin so they get kicked instantly (Take note that /usr/sbin/nologin may not be correct for everyone).
-p sets the password and pushes it through openssl because it needs to be encrypted in passwd
Obviously full user accounts can be used, but this is raw UN/PW sent over cleartext so I would advise not using important accounts, or by using a different / multiple auth method(s)
You can combine with ssh's config file to deny login for Danted's user so that the user can be only used for Danted auth.
For example: DenyUsers root, or DenyUsers user1 user2 user3
Default config file is at /etc/ssh/sshd_config. However, you should add your own config file for SSH as it will still be loaded (as long as the default config file isn't edited wrongly). Create a file in folder /etc/ssh/sshd_config.d/ with any name ending with .conf extension. E.g: /etc/ssh/sshd_config.d/danted.conf.
Example: sudo nano /etc/ssh/sshd_config.d/danted.conf
DenyUsers mydanteduser
Then hit Ctrl+O and ENTER to write the file out. Then hit Ctrl+X to exit nano.
- Ubuntu 16.04 LTS (Worked).
- Ubuntu 22.04 LTS (Worked).