Items of Interest
Configuring a SOCKS Proxy and Tunneling

I have been using the Dante SOCKS v4 and v5 compatible proxy server for quite a few months now. A SOCKS proxy is a general purpose proxying daemon. It works great for tunneling things like HTTP and AOL IM through a trusted relay over a secure connection. The untrusted medium could be a wireless link or a corporate network with a draconian Web access policy. The SOCKS proxy provides the connection proxying mechanism and the tunnel (via OpenSSH) provides the security.

It's possible you do not need to install and configure Dante. OpenSSH supports basic SOCKS emulation. For example, the following will setup a basic SOCKS proxy on localhost accessible via port 1080 and tunnel it securely to the target host, rebecca. From there, a connection is made in a fashion similar to what a real SOCKS proxy would do. 

jasonb@faith:~$ ssh -D 1080 rebecca
If the above doesn't work for your application, you can read on for information on configuring and installing Dante, a complete SOCKS proxy solution.

Obtaining and Configuring Dante

Dante is a fully functional SOCKS proxy server and as such has many nobs. Fortunately, setting up a basic configuration that will allow tunneling of things like HTTP is relatively simple.

If you're running Debian GNU/Linux, simply run: 

# apt-get update
# apt-get install dante-server
Thereafter, you can skip the source compilation step and move on to the configuration file.

For non Debian users, obtain a copy of Dante. The most recently version is 1.1.14 as of this writing. Unpack the sourceball, browse the various documentation files, then run a configure similar to the following. 

jasonb@faith:~/src$ tar -zxvf dante-1.1.14.tar.gz
...
jasonb@faith:~/src$ cd dante-1.1.14
jasonb@faith:~/src/dante-1.1.14$
jasonb@faith:~/src/dante-1.1.14$ ./configure \
  --with-sockd-conf=/etc/danted.conf
Configuring Dante 1.1.14:
...
jasonb@faith:~/src/dante-1.1.14$ make -j2
...
jasonb@faith:~/src/dante-1.1.14$ su
jasonb@faith:~/src/dante-1.1.14# make install
^D
Once that's done, it's time to take a crack at the configuration file. It's expected to live in /etc/sockd.conf by default and /etc/danted.conf if you're using the Debian package or my configuration above. 
faith:/# cat /etc/danted.conf

# See examples/sockd.conf for additional details
First, logging is enabled via the syslog mechanism and internal and external addresses are bound. The internal bindings include a port specification. The external one, of course, does not. The external binding cannot be an interface for versions prior to 1.1.7, but that shouldn't be a problem as of this writing. If you have a static IP, that's fine, too. 
logoutput: syslog

internal: eth1 port = 1080
internal: 127.0.0.1 port = 1080

external: 1.2.3.4
# or
external: eth0
Next, we define some basic authentication items. Dante supports things like identd and PAM authentication, but I did not configure those. For this proxy's simple task I went without authentication. 
method: username none

# Not using authentication, so unnecessary
#user.privileged: proxy

user.notprivileged: nobody
Finally, we define the access controls for this daemon. They are checked against in the order they appear in the configuration file.

It's important not to allow the world to access your proxy server, since bad things can happen.

The first three directives control which IP ranges can speak to the server. The from: option is obviously the IP space the clients live in. The to: option is one of the IPs the proxy server is bound to that the given IP range can speak to. In this instance, I set it to correspond with all addresses Dante is listening on. The last of the three drops any requests that don't match either of the first two directives. 

client pass {
  from: 192.168.0.0/16 port 1-65535 to: 0.0.0.0/0
}

client pass {
  from: 127.0.0.0/8 port 1-65535 to: 0.0.0.0/0
}

client block {
  from: 0.0.0.0/0 to: 0.0.0.0/0
  log: connect error
}
These next four directives control who can speak to what. Requests from anywhere to the loopback addresses are dropped. Next, connections from the loopback addresses and 192.168.0.0/16 are allowed to speak to anyone using either the tcp or udp protocols. Finally, all other requests are dropped. 
block {
  from: 0.0.0.0/0 to: 127.0.0.0/8
  log: connect error
}

pass {
  from: 192.168.0.0/16 to: 0.0.0.0/0
  protocol: tcp udp
}

pass {
  from: 127.0.0.0/8 to: 0.0.0.0/0
  protocol: tcp udp
}

block {
  from: 0.0.0.0/0 to: 0.0.0.0/0
  log: connect error
}
Now you can fire up Dante. 
faith:# sockd -V (or the danted binary on Debian)
faith:# sockd -d
That will start Dante in debugging mode.

Start your favourite Web browser and tell it to use a SOCKS proxy server. Don't accidently use an HTTP proxy, because that won't work. Visit a working URI and see if it loads. If it does, you're good to go. If not, check /var/log for useful clues. Dante will complain if something isn't working correctly, like it isn't able to bind to a port or it's denying you access.

Handling that Dynamic IP Issue

It's always fun to hit your tunnel one morning only to find it's gone. After a little digging, you notice it's because your broadband modem dropped your IP when you weren't looking and left your Dante configuration high and dry. Well, it need not be that way. Recent versions of Dante support using an interface for the external: directive, so this should no longer be necessary. If you can't upgrade to v1.1.7 or newer, you can use the script below to change your external IP address for you.

I run this script whenever my IP changes. I used to run it out of /etc/ppp/ip-up.d, but now I use it in conjunction with the pump DHCP client's script option. It uses the Debian init.d script. Your startup script might vary. The important part is the Perl snippet that alters the configuration file in place. You will need a copy of the iproute package installed on your machine to use the ip command. (apt-get install iproute on Debian, of course.) 

#!/bin/bash
set +x
# Script to screw Danted's head on straight after an IP change

IF=eth0
PERL=/usr/bin/perl
DANTED=/etc/danted.conf

IP=$(/sbin/ip addr show $IF | grep inet |\
  awk '{ print $2 }' | awk -F\/ '{ print $1 }')

$PERL -0777 -pi -e "s/^external.*/external: $IP/gm" $DANTED

# HUPing Danted won't rebind it to a new static address
#kill -SIGHUP `pidof -s /usr/sbin/danted`

/etc/init.d/danted stop > /dev/null
sleep 1
/etc/init.d/danted start > /dev/null
Getting Your Tunnel Ready

Now, it's fun time. With OpenSSH, you can securely tunnel your SOCKS connection to the server running Dante, preventing anyone in between your client and your server from intercepting your session. Assuming you have OpenSSH installed and configured on both the client and the server running Dante, the following should do the trick. 

jasonb@faith:~$ ssh -L 1080:localhost:1080 rebecca
If you do not have Dante listening on 127.0.0.1, you will need to substitute in an address or hostname that it is listening on. The last argument is, of course, the actual machine running OpenSSH you're connecting to. It need not be the machine running Dante, but it likely will be. For more fun with OpenSSH tunneling you can read my VNC over SSH article.

Links and Useful Resources

  • Extremely outdated information on configuring NEC's SOCKS proxy
  • The Dante proxy server

Copyright and Revision Information

09-16-03 - Initial Draft
09-30-03 - Corrected information about the external directive accepting an interface
02-09-05 - Added information about using OpenSSH for SOCKS proxy emulation

This document is copyright (c) Jason Boxman, 2003-2005. All rights reserved.