sockd代理部署配置教程
基本环境
ubuntu 20.04操作系统,软件包名danted-server
更新apt
root@swyjy-sockd:~# apt update
Get:1 http://security.ubuntu.com/ubuntu focal-security InRelease [128 kB]
Get:2 http://nova.clouds.archive.ubuntu.com/ubuntu focal InRelease [265 kB]
Get:3 http://security.ubuntu.com/ubuntu focal-security/main amd64 Packages [3357 kB]
Get:4 http://nova.clouds.archive.ubuntu.com/ubuntu focal-updates InRelease [128 kB]
Get:5 http://nova.clouds.archive.ubuntu.com/ubuntu focal-backports InRelease [128 kB]
Get:6 http://nova.clouds.archive.ubuntu.com/ubuntu focal/universe amd64 Packages [8628 kB]
Get:7 http://security.ubuntu.com/ubuntu focal-security/main Translation-en [490 kB]
Get:8 http://security.ubuntu.com/ubuntu focal-security/main amd64 c-n-f Metadata [14.3 kB]
Get:9 http://security.ubuntu.com/ubuntu focal-security/restricted amd64 Packages [3343 kB]
Get:10 http://security.ubuntu.com/ubuntu focal-security/restricted Translation-en [468 kB]
Get:11 http://security.ubuntu.com/ubuntu focal-security/restricted amd64 c-n-f Metadata [548 B]
Get:12 http://security.ubuntu.com/ubuntu focal-security/universe amd64 Packages [1031 kB]
Get:13 http://security.ubuntu.com/ubuntu focal-security/universe Translation-en [218 kB]
Get:14 http://security.ubuntu.com/ubuntu focal-security/universe amd64 c-n-f Metadata [21.4 kB]
Get:15 http://security.ubuntu.com/ubuntu focal-security/multiverse amd64 Packages [24.8 kB]
Get:16 http://security.ubuntu.com/ubuntu focal-security/multiverse Translation-en [5968 B]
Get:17 http://security.ubuntu.com/ubuntu focal-security/multiverse amd64 c-n-f Metadata [540 B]
Get:18 http://nova.clouds.archive.ubuntu.com/ubuntu focal/universe Translation-en [5124 kB]
Get:19 http://nova.clouds.archive.ubuntu.com/ubuntu focal/universe amd64 c-n-f Metadata [265 kB]
Get:20 http://nova.clouds.archive.ubuntu.com/ubuntu focal/multiverse amd64 Packages [144 kB]
Get:21 http://nova.clouds.archive.ubuntu.com/ubuntu focal/multiverse Translation-en [104 kB]
Get:22 http://nova.clouds.archive.ubuntu.com/ubuntu focal/multiverse amd64 c-n-f Metadata [9136 B]
Get:23 http://nova.clouds.archive.ubuntu.com/ubuntu focal-updates/main amd64 Packages [3735 kB]
Get:24 http://nova.clouds.archive.ubuntu.com/ubuntu focal-updates/main Translation-en [570 kB]
Get:25 http://nova.clouds.archive.ubuntu.com/ubuntu focal-updates/main amd64 c-n-f Metadata [17.8 kB]
Get:26 http://nova.clouds.archive.ubuntu.com/ubuntu focal-updates/restricted amd64 Packages [3493 kB]
Get:27 http://nova.clouds.archive.ubuntu.com/ubuntu focal-updates/restricted Translation-en [488 kB]
Get:28 http://nova.clouds.archive.ubuntu.com/ubuntu focal-updates/restricted amd64 c-n-f Metadata [548 B]
Get:29 http://nova.clouds.archive.ubuntu.com/ubuntu focal-updates/universe amd64 Packages [1253 kB]
Get:30 http://nova.clouds.archive.ubuntu.com/ubuntu focal-updates/universe Translation-en [300 kB]
Get:31 http://nova.clouds.archive.ubuntu.com/ubuntu focal-updates/universe amd64 c-n-f Metadata [28.3 kB]
Get:32 http://nova.clouds.archive.ubuntu.com/ubuntu focal-updates/multiverse amd64 Packages [27.9 kB]
Get:33 http://nova.clouds.archive.ubuntu.com/ubuntu focal-updates/multiverse Translation-en [7968 B]
Get:34 http://nova.clouds.archive.ubuntu.com/ubuntu focal-updates/multiverse amd64 c-n-f Metadata [612 B]
Get:35 http://nova.clouds.archive.ubuntu.com/ubuntu focal-backports/main amd64 Packages [45.7 kB]
Get:36 http://nova.clouds.archive.ubuntu.com/ubuntu focal-backports/main Translation-en [16.3 kB]
Get:37 http://nova.clouds.archive.ubuntu.com/ubuntu focal-backports/main amd64 c-n-f Metadata [1420 B]
Get:38 http://nova.clouds.archive.ubuntu.com/ubuntu focal-backports/restricted amd64 c-n-f Metadata [116 B]
Get:39 http://nova.clouds.archive.ubuntu.com/ubuntu focal-backports/universe amd64 Packages [25.0 kB]
Get:40 http://nova.clouds.archive.ubuntu.com/ubuntu focal-backports/universe Translation-en [16.3 kB]
Get:41 http://nova.clouds.archive.ubuntu.com/ubuntu focal-backports/universe amd64 c-n-f Metadata [880 B]
Get:42 http://nova.clouds.archive.ubuntu.com/ubuntu focal-backports/multiverse amd64 c-n-f Metadata [116 B]
Fetched 33.9 MB in 9s (3838 kB/s)
Reading package lists... Done
Building dependency tree
Reading state information... Done
104 packages can be upgraded. Run 'apt list --upgradable' to see them.
apt升级
root@swyjy-sockd:~# apt upgrade
Reading package lists... Done
Building dependency tree
Reading state information... Done
Calculating upgrade... Done
The following NEW packages will be installed:
linux-headers-5.4.0-204 linux-headers-5.4.0-204-generic linux-image-5.4.0-204-generic linux-modules-5.4.0-204-generic
python3-packaging python3-pyparsing
The following packages will be upgraded:
apparmor bind9-dnsutils bind9-host bind9-libs bsdutils busybox-initramfs busybox-static ca-certificates cloud-init cpio curl
distro-info-data e2fsprogs fdisk git git-man klibc-utils kpartx krb5-locales landscape-common less libapparmor1 libarchive13
libblkid1 libc-bin libc6 libcom-err2 libcurl3-gnutls libcurl4 libexpat1 libext2fs2 libfdisk1 libglib2.0-0 libglib2.0-bin
libglib2.0-data libgnutls30 libgssapi-krb5-2 libgstreamer1.0-0 libk5crypto3 libklibc libkrb5-3 libkrb5support0 libmount1
libnetplan0 libnghttp2-14 libnspr4 libnss-systemd libnss3 libpam-systemd libpcap0.8 libpython3.8 libpython3.8-minimal
libpython3.8-stdlib libsmartcols1 libsoup2.4-1 libss2 libssl1.1 libsystemd0 libtss2-esys0 libudev1 libuuid1
linux-headers-generic linux-headers-virtual linux-image-virtual linux-virtual locales logsave mount multipath-tools nano
netplan.io openssl python3-configobj python3-idna python3-jinja2 python3-pkg-resources python3-setuptools python3-twisted
python3-twisted-bin python3-update-manager python3-urllib3 python3-zipp python3.8 python3.8-minimal shim-signed snapd sosreport
systemd systemd-sysv systemd-timesyncd tzdata ubuntu-advantage-tools ubuntu-pro-client ubuntu-pro-client-l10n udev
update-manager-core util-linux uuid-runtime vim vim-common vim-runtime vim-tiny wget xxd
104 upgraded, 6 newly installed, 0 to remove and 0 not upgraded.
71 standard LTS security updates
Need to get 118 MB of archives.
After this operation, 189 MB of additional disk space will be used.
Do you want to continue? [Y/n] y
...
Running hooks in /etc/ca-certificates/update.d...
done.
安装sockd
root@swyjy-sockd:~# apt install -y dante-server
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following NEW packages will be installed:
dante-server
0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
Need to get 368 kB of archives.
After this operation, 1021 kB of additional disk space will be used.
Get:1 http://nova.clouds.archive.ubuntu.com/ubuntu focal/universe amd64 dante-server amd64 1.4.2+dfsg-7build1 [368 kB]
Fetched 368 kB in 2s (196 kB/s)
Selecting previously unselected package dante-server.
(Reading database ... 95254 files and directories currently installed.)
Preparing to unpack .../dante-server_1.4.2+dfsg-7build1_amd64.deb ...
Unpacking dante-server (1.4.2+dfsg-7build1) ...
Setting up dante-server (1.4.2+dfsg-7build1) ...
Created symlink /etc/systemd/system/multi-user.target.wants/danted.service → /lib/systemd/system/danted.service.
Processing triggers for man-db (2.9.1-1) ...
Processing triggers for systemd (245.4-4ubuntu3.24) ...
配置sockd开机启动
root@swyjy-sockd:~# systemctl enable danted
Synchronizing state of danted.service with SysV service script with /lib/systemd/systemd-sysv-install.
Executing: /lib/systemd/systemd-sysv-install enable danted
查看sockd状态
root@swyjy-sockd:~# systemctl status danted.service
● danted.service - SOCKS (v4 and v5) proxy daemon (danted)
Loaded: loaded (/lib/systemd/system/danted.service; enabled; vendor preset: enabled)
Active: failed (Result: exit-code) since Wed 2025-01-08 02:06:35 UTC; 5min ago
Docs: man:danted(8)
man:danted.conf(5)
Main PID: 35097 (code=exited, status=1/FAILURE)
Jan 08 02:06:35 swyjy-sockd systemd[1]: Starting SOCKS (v4 and v5) proxy daemon (danted)...
Jan 08 02:06:35 swyjy-sockd systemd[1]: Started SOCKS (v4 and v5) proxy daemon (danted).
Jan 08 02:06:35 swyjy-sockd danted[35097]: Jan 8 02:06:35 (1736301995.605111) danted[35097]: warning: checkconfig(): no socks authentication methods enable>
Jan 08 02:06:35 swyjy-sockd danted[35097]: Jan 8 02:06:35 (1736301995.605501) danted[35097]: error: checkconfig(): no internal address given for server to >
Jan 08 02:06:35 swyjy-sockd danted[35097]: Jan 8 02:06:35 (1736301995.605582) danted[35097]: alert: mother[1/1]: shutting down
Jan 08 02:06:35 swyjy-sockd systemd[1]: danted.service: Main process exited, code=exited, status=1/FAILURE
Jan 08 02:06:35 swyjy-sockd systemd[1]: danted.service: Failed with result 'exit-code'.
lines 1-14/14 (END)
没有启动成功,提示缺少dante配置,接下来我们进行简易配置
dante的缺省配置
root@swyjy-sockd:~# more /etc/danted.conf
# $Id: sockd.conf,v 1.52.10.2.2.2 2017/01/31 07:16:25 karls Exp $
#
# A sample danted.conf
#
#
# The config file is divided into three parts;
# 1) server settings
# 2) rules
# 3) routes
#
# The recommended order is:
# Server settings:
# logoutput
# internal
# external
# socksmethod
# clientmethod
# users
# compatibility
# extension
# timeout
# srchost
#
# Rules:
# client block/pass
# from to
# libwrap
# log
#
# block/pass
# from to
# socksmethod
# command
# libwrap
# log
# protocol
# proxyprotocol
#
# Routes:
# the server will log both via syslog, to stdout and to /var/log/sockd.log
#logoutput: syslog stdout /var/log/sockd.log
logoutput: stderr
# The server will bind to the address 10.1.1.1, port 1080 and will only
# accept connections going to that address.
#internal: 10.1.1.1 port = 1080
# Alternatively, the interface name can be used instead of the address.
#internal: eth0 port = 1080
# all outgoing connections from the server will use the IP address
# 195.168.1.1
#external: 192.168.1.1
# list over acceptable authentication methods, order of preference.
# An authentication method not set here will never be selected.
#
# If the socksmethod field is not set in a rule, the global
# socksmethod is filled in for that rule.
#
# methods for socks-rules.
#socksmethod: username none #rfc931
# methods for client-rules.
#clientmethod: none
#or if you want to allow rfc931 (ident) too
#socksmethod: username rfc931 none
#or for PAM authentication
#socksmethod: pam
#
# User identities, an important section.
#
# when doing something that can require privilege, it will use the
# userid:
user.privileged: proxy
# when running as usual, it will use the unprivileged userid of:
user.unprivileged: nobody
# If you are not using libwrap, no need for the below line, so leave
# it commented.
# If you compiled with libwrap support, what userid should it use
# when executing your libwrap commands? "libwrap".
#user.libwrap: libwrap
user.libwrap: nobody
#
# Some options to help clients with compatibility:
#
# when a client connection comes in the socks server will try to use
# the same port as the client is using, when the socks server
# goes out on the clients behalf (external: IP address).
# If this option is set, Dante will try to do it for reserved ports as well.
# This will usually require user.privileged to be set to "root".
#compatibility: sameport
# If you are using the Inferno Nettverk bind extension and have trouble
# running servers via the server, you might try setting this.
#compatibility: reuseaddr
#
# The Dante server supports some extensions to the socks protocol.
# These require that the socks client implements the same extension and
# can be enabled using the "extension" keyword.
#
# enable the bind extension.
#extension: bind
#
# Misc options.
#
# how many seconds can pass from when a client connects till it has
# sent us its request? Adjust according to your network performance
# and methods supported.
#timeout.negotiate: 30 # on a lan, this should be enough.
# how many seconds can the client and its peer idle without sending
# any data before we dump it? Unless you disable tcp keep-alive for
# some reason, it's probably best to set this to 0, which is
# "forever".
#timeout.io: 0 # or perhaps 86400, for a day.
# do you want to accept connections from addresses without
# dns info? what about addresses having a mismatch in dns info?
#srchost: nodnsunknown nodnsmismatch
#
# The actual rules. There are two kinds and they work at different levels.
#
# The rules prefixed with "client" are checked first and say who is allowed
# and who is not allowed to speak/connect to the server. I.e the
# ip range containing possibly valid clients.
# It is especially important that these only use IP addresses, not hostnames,
# for security reasons.
#
# The rules that do not have a "client" prefix are checked later, when the
# client has sent its request and are used to evaluate the actual
# request.
#
# The "to:" in the "client" context gives the address the connection
# is accepted on, i.e the address the socks server is listening on, or
# just "0.0.0.0/0" for any address the server is listening on.
#
# The "to:" in the non-"client" context gives the destination of the clients
# socks request.
#
# "from:" is the source address in both contexts.
#
#
# The "client" rules. All our clients come from the net 10.0.0.0/8.
#
# Allow our clients, also provides an example of the port range command.
#client pass {
# from: 10.0.0.0/8 port 1-65535 to: 0.0.0.0/0
# clientmethod: rfc931 # match all idented users that also are in passwordfile
#}
# This is identical to above, but allows clients without a rfc931 (ident)
# too. In practice this means the socks server will try to get a rfc931
# reply first (the above rule), if that fails, it tries this rule.
#client pass {
# from: 10.0.0.0/8 port 1-65535 to: 0.0.0.0/0
#}
# drop everyone else as soon as we can and log the connect, they are not
# on our net and have no business connecting to us. This is the default
# but if you give the rule yourself, you can specify details.
#client block {
# from: 0.0.0.0/0 to: 0.0.0.0/0
# log: connect error
#}
# the rules controlling what clients are allowed what requests
#
# you probably don't want people connecting to loopback addresses,
# who knows what could happen then.
#socks block {
# from: 0.0.0.0/0 to: lo0
# log: connect error
#}
# the people at the 172.16.0.0/12 are bad, no one should talk to them.
# log the connect request and also provide an example on how to
# interact with libwrap.
#socks block {
# from: 0.0.0.0/0 to: 172.16.0.0/12
# libwrap: spawn finger @%a
# log: connect error
#}
# unless you need it, you could block any bind requests.
#socks block {
# from: 0.0.0.0/0 to: 0.0.0.0/0
# command: bind
# log: connect error
#}
# or you might want to allow it, for instance "active" ftp uses it.
# Note that a "bindreply" command must also be allowed, it
# should usually by from "0.0.0.0/0", i.e if a client of yours
# has permission to bind, it will also have permission to accept
# the reply from anywhere.
#socks pass {
# from: 10.0.0.0/8 to: 0.0.0.0/0
# command: bind
# log: connect error
#}
# some connections expect some sort of "reply", this might be
# the reply to a bind request or it may be the reply to a
# udppacket, since udp is packet based.
# Note that nothing is done to verify that it's a "genuine" reply,
# that is in general not possible anyway. The below will allow
# all "replies" in to your clients at the 10.0.0.0/8 net.
#socks pass {
# from: 0.0.0.0/0 to: 10.0.0.0/8
# command: bindreply udpreply
# log: connect error
#}
# pass any http connects to the example.com domain if they
# authenticate with username.
# This matches "example.com" itself and everything ending in ".example.com".
#socks pass {
# from: 10.0.0.0/8 to: .example.com port = http
# log: connect error
# clientmethod: username
#}
# block any other http connects to the example.com domain.
#socks block {
# from: 0.0.0.0/0 to: .example.com port = http
# log: connect error
#}
# everyone from our internal network, 10.0.0.0/8 is allowed to use
# tcp and udp for everything else.
#socks pass {
# from: 10.0.0.0/8 to: 0.0.0.0/0
# protocol: tcp udp
#}
# last line, block everyone else. This is the default but if you provide
# one yourself you can specify your own logging/actions
#socks block {
# from: 0.0.0.0/0 to: 0.0.0.0/0
# log: connect error
#}
# route all http connects via an upstream socks server, aka "server-chaining".
#route {
# from: 10.0.0.0/8 to: 0.0.0.0/0 port = http via: socks.example.net port = socks
#}
备份sockd缺省配置
root@swyjy-sockd:~# cp /etc/danted.conf /etc/danted.conf.bak
root@swyjy-sockd:/etc# ls | grep dant
danted.conf
danted.conf.bak
root@swyjy-sockd:~# vim /etc/danted.conf
基于缺省配置进行具体的环境配置
根据实际情况进行配置,以下所有文件均可拷贝到您的文件中,更改的地方已中文备注
# $Id: sockd.conf,v 1.52.10.2.2.2 2017/01/31 07:16:25 karls Exp $
#
# A sample danted.conf
#
#
# The config file is divided into three parts;
# 1) server settings
# 2) rules
# 3) routes
#
# The recommended order is:
# Server settings:
# logoutput
# internal
# external
# socksmethod
# clientmethod
# users
# compatibility
# extension
# timeout
# srchost
#
# Rules:
# client block/pass
# from to
# libwrap
# log
#
# block/pass
# from to
# socksmethod
# command
# libwrap
# log
# protocol
# proxyprotocol
#
# Routes:
# the server will log both via syslog, to stdout and to /var/log/sockd.log
#日志文件配置,存放在/var/log/sockd.log中
logoutput: syslog stdout /var/log/sockd.log
#logoutput: stderr
# The server will bind to the address 10.1.1.1, port 1080 and will only
# accept connections going to that address.
#配置代理IP及端口,这里代理的服务器IP为192.168.57.148,代理端口为55555
internal: 192.168.57.148 port = 55555
# Alternatively, the interface name can be used instead of the address.
#允许代理通过的网卡和端口
#internal: ens3 port = 55555
# all outgoing connections from the server will use the IP address
# 195.168.1.1
#代理的服务器IP为192.168.57.148
external: 192.168.57.148
# list over acceptable authentication methods, order of preference.
# An authentication method not set here will never be selected.
#
# If the socksmethod field is not set in a rule, the global
# socksmethod is filled in for that rule.
#
# methods for socks-rules.
#配置代理认证方式为用户身份验证
socksmethod: username
#socksmethod: username none #rfc931
# methods for client-rules.
#clientmethod: none
#or if you want to allow rfc931 (ident) too
#socksmethod: username rfc931 none
#or for PAM authentication
#socksmethod: pam
#
# User identities, an important section.
#
# when doing something that can require privilege, it will use the
# userid:
#特权模式下仅允许root进行操作
user.privileged: root
# when running as usual, it will use the unprivileged userid of:
user.unprivileged: nobody
# If you are not using libwrap, no need for the below line, so leave
# it commented.
# If you compiled with libwrap support, what userid should it use
# when executing your libwrap commands? "libwrap".
#user.libwrap: libwrap
user.libwrap: nobody
#
# Some options to help clients with compatibility:
#
# when a client connection comes in the socks server will try to use
# the same port as the client is using, when the socks server
# goes out on the clients behalf (external: IP address).
# If this option is set, Dante will try to do it for reserved ports as well.
# This will usually require user.privileged to be set to "root".
#compatibility: sameport
# If you are using the Inferno Nettverk bind extension and have trouble
# running servers via the server, you might try setting this.
#compatibility: reuseaddr
#
# The Dante server supports some extensions to the socks protocol.
# These require that the socks client implements the same extension and
# can be enabled using the "extension" keyword.
#
# enable the bind extension.
#extension: bind
#
# Misc options.
#
# how many seconds can pass from when a client connects till it has
# sent us its request? Adjust according to your network performance
# and methods supported.
#timeout.negotiate: 30 # on a lan, this should be enough.
# how many seconds can the client and its peer idle without sending
# any data before we dump it? Unless you disable tcp keep-alive for
# some reason, it's probably best to set this to 0, which is
# "forever".
#timeout.io: 0 # or perhaps 86400, for a day.
# do you want to accept connections from addresses without
# dns info? what about addresses having a mismatch in dns info?
#srchost: nodnsunknown nodnsmismatch
#
# The actual rules. There are two kinds and they work at different levels.
#
# The rules prefixed with "client" are checked first and say who is allowed
# and who is not allowed to speak/connect to the server. I.e the
# ip range containing possibly valid clients.
# It is especially important that these only use IP addresses, not hostnames,
# for security reasons.
#
# The rules that do not have a "client" prefix are checked later, when the
# client has sent its request and are used to evaluate the actual
# request.
#
# The "to:" in the "client" context gives the address the connection
# is accepted on, i.e the address the socks server is listening on, or
# just "0.0.0.0/0" for any address the server is listening on.
#
# The "to:" in the non-"client" context gives the destination of the clients
# socks request.
#
# "from:" is the source address in both contexts.
#
#
# The "client" rules. All our clients come from the net 10.0.0.0/8.
#
# Allow our clients, also provides an example of the port range command.
#client pass {
# from: 10.0.0.0/8 port 1-65535 to: 0.0.0.0/0
# clientmethod: rfc931 # match all idented users that also are in passwordfile
#}
# This is identical to above, but allows clients without a rfc931 (ident)
# too. In practice this means the socks server will try to get a rfc931
# reply first (the above rule), if that fails, it tries this rule.
#client白名单配置
client pass {
from: 10.0.0.0/8 port 1-65535 to: 0.0.0.0/0
log: connect error
}
# drop everyone else as soon as we can and log the connect, they are not
# on our net and have no business connecting to us. This is the default
# but if you give the rule yourself, you can specify details.
#client block {
# from: 0.0.0.0/0 to: 0.0.0.0/0
# log: connect error
#}
# the rules controlling what clients are allowed what requests
#
# you probably don't want people connecting to loopback addresses,
# who knows what could happen then.
#socks block {
# from: 0.0.0.0/0 to: lo0
# log: connect error
#}
# the people at the 172.16.0.0/12 are bad, no one should talk to them.
# log the connect request and also provide an example on how to
# interact with libwrap.
#socks block {
# from: 0.0.0.0/0 to: 172.16.0.0/12
# libwrap: spawn finger @%a
# log: connect error
#}
# unless you need it, you could block any bind requests.
#socks block {
# from: 0.0.0.0/0 to: 0.0.0.0/0
# command: bind
# log: connect error
#}
# or you might want to allow it, for instance "active" ftp uses it.
# Note that a "bindreply" command must also be allowed, it
# should usually by from "0.0.0.0/0", i.e if a client of yours
# has permission to bind, it will also have permission to accept
# the reply from anywhere.
#socks pass {
# from: 10.0.0.0/8 to: 0.0.0.0/0
# command: bind
# log: connect error
#}
# some connections expect some sort of "reply", this might be
# the reply to a bind request or it may be the reply to a
# udppacket, since udp is packet based.
# Note that nothing is done to verify that it's a "genuine" reply,
# that is in general not possible anyway. The below will allow
# all "replies" in to your clients at the 10.0.0.0/8 net.
#socks pass {
# from: 0.0.0.0/0 to: 10.0.0.0/8
# command: bindreply udpreply
# log: connect error
#}
# pass any http connects to the example.com domain if they
# authenticate with username.
# This matches "example.com" itself and everything ending in ".example.com".
#socks pass {
# from: 10.0.0.0/8 to: .example.com port = http
# log: connect error
# clientmethod: username
#}
# block any other http connects to the example.com domain.
#socks block {
# from: 0.0.0.0/0 to: .example.com port = http
# log: connect error
#}
# everyone from our internal network, 10.0.0.0/8 is allowed to use
# tcp and udp for everything else.
#sockd白名单配置
socks pass {
from: 10.0.0.0/8 to: 192.168.0.0/16
protocol: tcp udp
log: connect error
}
# last line, block everyone else. This is the default but if you provide
# one yourself you can specify your own logging/actions
#sockd黑名单配置
socks block {
from: 0.0.0.0/0 to: 0.0.0.0/0
log: connect error
}
# route all http connects via an upstream socks server, aka "server-chaining".
#route {
# from: 10.0.0.0/8 to: 0.0.0.0/0 port = http via: socks.example.net port = socks
#}
新建用户
用户权限为禁止远程登录
sudo useradd -r -s /bin/false test
sudo passwd test
THE END
