m4dz · May 12, 2013 20:04
diff --git a/danted.conf b/danted.conf
 # The configfile is divided into three parts;
 #    1) serversettings
 #    2) rules
 #    3) routes
 #
 # The recommended order is:
 #   Serversettings:
 #               logoutput
 #               internal
 #               external
 #               method
 #               clientmethod
 #               users
 #               compatibility
 #               extension
 #               connecttimeout
 #               iotimeout
 #  	srchost
 #
 #  Rules:
 #	client block/pass
 #		from to
 #		libwrap
 #		log
 #
 #     block/pass
 #		from to
 #		method
 #		command
 #		libwrap
 #		log
 #		protocol
 #		proxyprotocol
 #
 #  Routes:

 # the server will log both via syslog, to stdout and to /var/log/lotsoflogs
 #logoutput: syslog stdout /var/log/lotsoflogs
 logoutput: syslog

 # The server will bind to the address 10.1.1.1, port 1080 and will only
 # accept connections going to that address.
 #internal: 10.1.1.1 port = 1080
 # Alternatively, the interface name can be used instead of the address.
 internal: venet0:0 port = 443

 # all outgoing connections from the server will use the IP address
 # 195.168.1.1
 external: venet0:0

 # list over acceptable methods, order of preference.
 # A method not set here will never be selected.
 #
 # If the method field is not set in a rule, the global
 # method is filled in for that rule.
 #

 # methods for socks-rules.
 method: username none #rfc931

 # methods for client-rules.
 #clientmethod: none

 #or if you want to allow rfc931 (ident) too
 #method: username rfc931 none

 #or for PAM authentification
 #method: pam

 #
 # An important section, pay attention.
 #

 # when doing something that can require privilege, it will use the
 # userid:
 user.privileged: root

 # when running as usual, it will use the unprivileged userid of:
 user.notprivileged: nobody

 # If you compiled with libwrap support, what userid should it use
 # when executing your libwrap commands?  "libwrap".
 user.libwrap: nobody


 #
 # some options to help clients with compatibility:
 #

 # when a client connection comes in the socksserver will try to use
 # the same port as the client is using, when the socksserver
 # goes out on the clients behalf (external: IP address).
 # If this option is set, Dante will try to do it for reserved ports aswell.
 # This will usually require user.privileged to be set to "root".
 #compatibility: sameport

 # If you are using the bind extension and have trouble running servers
 # via the server, you might try setting this.  The consequences of it
 # are unknown.
 #compatibility: reuseaddr

 #
 # The Dante server supports some extensions to the socks protocol.
 # These require that the socks client implements the same extension and
 # can be enabled using the "extension" keyword.
 #
 # enable the bind extension.
 #extension: bind


 #
 #
 # misc options.
 #

 # how many seconds can pass from when a client connects til it has
 # sent us it's request?  Adjust according to your network performance
 # and methods supported.
 #connecttimeout: 30   # on a lan, this should be enough if method is "none".

 # how many seconds can the client and it's peer idle without sending
 # any data before we dump it?  Unless you disable tcp keep-alive for
 # some reason, it's probably best to set this to 0, which is
 # "forever".
 #iotimeout: 0 # or perhaps 86400, for a day.

 # do you want to accept connections from addresses without
 # dns info?  what about addresses having a mismatch in dnsinfo?
 #srchost: nounknown nomismatch

 #
 # The actual rules.  There are two kinds and they work at different levels.
 #
 # The rules prefixed with "client" are checked first and say who is allowed
 # and who is not allowed to speak/connect to the server.  I.e the
 # ip range containing possibly valid clients.
 # It is especially important that these only use IP addresses, not hostnames,
 # for security reasons.
 #

 # client IP addresses that allowed to use this service
 # HOME
 client pass {
 	from: <your.ip.adress.here>/32 port 1-65535 to: 0.0.0.0/0
 }

 client pass {
 	from: 127.0.0.0/8 port 1-65535 to: 0.0.0.0/0
 }


 # block everyone else
 client block {
 	from: 0.0.0.0/0 to: 0.0.0.0/0
 	log: connect error
 }


 block {
 	from: 0.0.0.0/0 to: 127.0.0.0/8
 	log: connect error
 }

 #allow client to connect to all ip addres/site via this proxy
 pass {
    from: <your.ip.adress.here>/32 to: 0.0.0.0/0
    protocol: tcp udp
 }

 pass {
    from: 127.0.0.0/8 to: 0.0.0.0/0
    protocol: tcp udp
 }

 block {
    from: 0.0.0.0/0 to: 0.0.0.0/0
    log: connect error
 }
	# The configfile is divided into three parts;
	# 1) serversettings
	# 2) rules
	# 3) routes
	#
	# The recommended order is:
	# Serversettings:
	# logoutput
	# internal
	# external
	# method
	# clientmethod
	# users
	# compatibility
	# extension
	# connecttimeout
	# iotimeout
	# srchost
	#
	# Rules:
	# client block/pass
	# from to
	# libwrap
	# log
	#
	# block/pass
	# from to
	# method
	# command
	# libwrap
	# log
	# protocol
	# proxyprotocol
	#
	# Routes:

	# the server will log both via syslog, to stdout and to /var/log/lotsoflogs
	#logoutput: syslog stdout /var/log/lotsoflogs
	logoutput: syslog

	# The server will bind to the address 10.1.1.1, port 1080 and will only
	# accept connections going to that address.
	#internal: 10.1.1.1 port = 1080
	# Alternatively, the interface name can be used instead of the address.
	internal: venet0:0 port = 443

	# all outgoing connections from the server will use the IP address
	# 195.168.1.1
	external: venet0:0

	# list over acceptable methods, order of preference.
	# A method not set here will never be selected.
	#
	# If the method field is not set in a rule, the global
	# method is filled in for that rule.
	#

	# methods for socks-rules.
	method: username none #rfc931

	# methods for client-rules.
	#clientmethod: none

	#or if you want to allow rfc931 (ident) too
	#method: username rfc931 none

	#or for PAM authentification
	#method: pam

	#
	# An important section, pay attention.
	#

	# when doing something that can require privilege, it will use the
	# userid:
	user.privileged: root

	# when running as usual, it will use the unprivileged userid of:
	user.notprivileged: nobody

	# If you compiled with libwrap support, what userid should it use
	# when executing your libwrap commands? "libwrap".
	user.libwrap: nobody


	#
	# some options to help clients with compatibility:
	#

	# when a client connection comes in the socksserver will try to use
	# the same port as the client is using, when the socksserver
	# goes out on the clients behalf (external: IP address).
	# If this option is set, Dante will try to do it for reserved ports aswell.
	# This will usually require user.privileged to be set to "root".
	#compatibility: sameport

	# If you are using the bind extension and have trouble running servers
	# via the server, you might try setting this. The consequences of it
	# are unknown.
	#compatibility: reuseaddr

	#
	# The Dante server supports some extensions to the socks protocol.
	# These require that the socks client implements the same extension and
	# can be enabled using the "extension" keyword.
	#
	# enable the bind extension.
	#extension: bind


	#
	#
	# misc options.
	#

	# how many seconds can pass from when a client connects til it has
	# sent us it's request? Adjust according to your network performance
	# and methods supported.
	#connecttimeout: 30 # on a lan, this should be enough if method is "none".

	# how many seconds can the client and it's peer idle without sending
	# any data before we dump it? Unless you disable tcp keep-alive for
	# some reason, it's probably best to set this to 0, which is
	# "forever".
	#iotimeout: 0 # or perhaps 86400, for a day.

	# do you want to accept connections from addresses without
	# dns info? what about addresses having a mismatch in dnsinfo?
	#srchost: nounknown nomismatch

	#
	# The actual rules. There are two kinds and they work at different levels.
	#
	# The rules prefixed with "client" are checked first and say who is allowed
	# and who is not allowed to speak/connect to the server. I.e the
	# ip range containing possibly valid clients.
	# It is especially important that these only use IP addresses, not hostnames,
	# for security reasons.
	#

	# client IP addresses that allowed to use this service
	# HOME
	client pass {
	from: <your.ip.adress.here>/32 port 1-65535 to: 0.0.0.0/0
	}

	client pass {
	from: 127.0.0.0/8 port 1-65535 to: 0.0.0.0/0
	}


	# block everyone else
	client block {
	from: 0.0.0.0/0 to: 0.0.0.0/0
	log: connect error
	}


	block {
	from: 0.0.0.0/0 to: 127.0.0.0/8
	log: connect error
	}

	#allow client to connect to all ip addres/site via this proxy
	pass {
	from: <your.ip.adress.here>/32 to: 0.0.0.0/0
	protocol: tcp udp
	}

	pass {
	from: 127.0.0.0/8 to: 0.0.0.0/0
	protocol: tcp udp
	}

	block {
	from: 0.0.0.0/0 to: 0.0.0.0/0
	log: connect error
	}