Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- # $Id: sockd.conf,v 1.43 2005/12/26 16:35:26 michaels Exp $
- #
- # A sample danted.conf
- #
- #
- # The configfile is divided into three parts;
- # 1) serversettings
- # 2) rules
- # 3) routes
- #
- # The recommended order is:
- # Serversettings:
- # logoutput
- # internal
- # external
- # method
- # clientmethod
- # users
- # compatibility
- # extension
- # connecttimeout
- # iotimeout
- # srchost
- #
- # Rules:
- # client block/pass
- # from to
- # libwrap
- # log
- #
- # block/pass
- # from to
- # method
- # command
- # libwrap
- # log
- # protocol
- # proxyprotocol
- #
- # Routes:
- # the server will log both via syslog, to stdout and to /var/log/lotsoflogs
- #logoutput: syslog stdout /var/log/lotsoflogs
- #logoutput: syslog /var/log/danted.logs
- # The server will bind to the address 10.1.1.1, port 1080 and will only
- # accept connections going to that address.
- #internal: 10.1.1.1 port = 1080
- # Alternatively, the interface name can be used instead of the address.
- #
- #internal: eth0 port = 1080
- logoutput: stderr
- internal: port=1080
- # all outgoing connections from the server will use the IP address
- # 195.168.1.1
- #i
- #external:
- #192.168.1.1
- external:
- # list over acceptable methods, order of preference.
- # A method not set here will never be selected.
- #
- # If the method field is not set in a rule, the global
- # method is filled in for that rule.
- #socksmethod: username
- #
- #method: username
- # methods for socks-rules.
- #method: username none #rfc931
- # methods for client-rules.
- #clientmethod: none
- #or if you want to allow rfc931 (ident) too
- #method: username rfc931 none
- #or for PAM authentification
- #method: pam
- #
- # An important section, pay attention.
- #
- # when doing something that can require privilege, it will use the
- # userid:
- #user.privileged: root
- # when running as usual, it will use the unprivileged userid of:
- #user.notprivileged: nobody
- # If you compiled with libwrap support, what userid should it use
- # when executing your libwrap commands? "libwrap".
- #user.libwrap: nobody
- #
- # some options to help clients with compatibility:
- #
- # when a client connection comes in the socksserver will try to use
- # the same port as the client is using, when the socksserver
- # goes out on the clients behalf (external: IP address).
- # If this option is set, Dante will try to do it for reserved ports aswell.
- # This will usually require user.privileged to be set to "root".
- #compatibility: sameport
- # If you are using the bind extension and have trouble running servers
- # via the server, you might try setting this. The consequences of it
- # are unknown.
- #compatibility: reuseaddr
- #
- # The Dante server supports some extensions to the socks protocol.
- # These require that the socks client implements the same extension and
- # can be enabled using the "extension" keyword.
- #
- # enable the bind extension.
- #extension: bind
- #
- #
- # misc options.
- #
- # how many seconds can pass from when a client connects til it has
- # sent us it's request? Adjust according to your network performance
- # and methods supported.
- #connecttimeout: 30 # on a lan, this should be enough if method is "none".
- # how many seconds can the client and it's peer idle without sending
- # any data before we dump it? Unless you disable tcp keep-alive for
- # some reason, it's probably best to set this to 0, which is
- # "forever".
- #iotimeout: 0 # or perhaps 86400, for a day.
- # do you want to accept connections from addresses without
- # dns info? what about addresses having a mismatch in dnsinfo?
- #srchost: nounknown nomismatch
- #
- # The actual rules. There are two kinds and they work at different levels.
- #
- # The rules prefixed with "client" are checked first and say who is allowed
- # and who is not allowed to speak/connect to the server. I.e the
- # ip range containing possibly valid clients.
- # It is especially important that these only use IP addresses, not hostnames,
- # for security reasons.
- #
- # The rules that do not have a "client" prefix are checked later, when the
- # client has sent its request and are used to evaluate the actual
- # request.
- #
- # The "to:" in the "client" context gives the address the connection
- # is accepted on, i.e the address the socksserver is listening on, or
- # just "0.0.0.0/0" for any address the server is listening on.
- #
- # The "to:" in the non-"client" context gives the destination of the clients
- # socksrequest.
- #
- # "from:" is the source address in both contexts.
- #
- # the "client" rules. All our clients come from the net 10.0.0.0/8.
- #
- # Allow our clients, also provides an example of the port range command.
- #client pass {
- # from: 0.0.0.0/0 port 1-65535 to: 0.0.0.0/0
- # log: error
- #method: rfc931 # match all idented users that also are in passwordfile
- #}
- #socks pass {
- # from: 0.0.0.0/0 to: 0.0.0.0/0
- # command: connect
- # log: error
- # method: username
- #}
- # This is identical to above, but allows clients without a rfc931 (ident)
- # too. In practise this means the socksserver will try to get a rfc931
- # reply first (the above rule), if that fails, it tries this rule.
- #client pass {
- # from: 10.0.0.0/8 port 1-65535 to: 0.0.0.0/0
- #}
- #client pass {
- #from: 0.0.0.0/0 to: 0.0.0.0/0
- #log: connect disconnect iooperation
- #}
- #pass {
- #from: 0.0.0.0/0 to: 0.0.0.0/0
- #command: connect udpassociate
- #log: connect disconnect iooperation
- #}
- # drop everyone else as soon as we can and log the connect, they are not
- # on our net and have no business connecting to us. This is the default
- # but if you give the rule yourself, you can specify details.
- #client block {
- # from: 0.0.0.0/0 to: 0.0.0.0/0
- # log: connect error
- #}
- # the rules controlling what clients are allowed what requests
- #
- # you probably don't want people connecting to loopback addresses,
- # who knows what could happen then.
- #block {
- # from: 0.0.0.0/0 to: 127.0.0.0/8
- # log: connect error
- #}
- # the people at the 172.16.0.0/12 are bad, no one should talk to them.
- # log the connect request and also provide an example on how to
- # interact with libwrap.
- #block {
- # from: 0.0.0.0/0 to: 172.16.0.0/12
- # libwrap: spawn finger @%a
- # log: connect error
- #}
- # unless you need it, you could block any bind requests.
- #block {
- # from: 0.0.0.0/0 to: 0.0.0.0/0
- # command: bind
- # log: connect error
- #}
- # or you might want to allow it, for instance "active" ftp uses it.
- # Note that a "bindreply" command must also be allowed, it
- # should usually by from "0.0.0.0/0", i.e if a client of yours
- # has permission to bind, it will also have permission to accept
- # the reply from anywhere.
- #pass {
- # from: 10.0.0.0/8 to: 0.0.0.0/0
- # command: bind
- # log: connect error
- #}
- # some connections expect some sort of "reply", this might be
- # the reply to a bind request or it may be the reply to a
- # udppacket, since udp is packetbased.
- # Note that nothing is done to verify that it's a "genuine" reply,
- # that is in general not possible anyway. The below will allow
- # all "replies" in to your clients at the 10.0.0.0/8 net.
- #pass {
- # from: 0.0.0.0/0 to: 10.0.0.0/8
- # command: bindreply udpreply
- # log: connect error
- #}
- # pass any http connects to the example.com domain if they
- # authenticate with username.
- # This matches "example.com" itself and everything ending in ".example.com".
- #pass {
- # from: 10.0.0.0/8 to: .example.com port = http
- # log: connect error
- # method: username
- #}
- # block any other http connects to the example.com domain.
- #block {
- # from: 0.0.0.0/0 to: .example.com port = http
- # log: connect error
- #}
- # everyone from our internal network, 10.0.0.0/8 is allowed to use
- # tcp and udp for everything else.
- #pass {
- # from: 10.0.0.0/8 to: 0.0.0.0/0
- # protocol: tcp udp
- #}
- # last line, block everyone else. This is the default but if you provide
- # one yourself you can specify your own logging/actions
- #block {
- # from: 0.0.0.0/0 to: 0.0.0.0/0
- # log: connect error
- #}
- #client pass { from: 0.0.0.0/0 port 1-65535 to: 0.0.0.0/0 }
- #pass { from: 0.0.0.0/0 to: 0.0.0.0/0 protocol: tcp udp }
- # route all http connects via an upstream socks server, aka "server-chaining".
- #route {
- # from: 10.0.0.0/8 to: 0.0.0.0/0 port = http via: socks.example.net port = socks
- #}
- clientmethod: none
- method: username none
- user.privileged: proxy
- user.notprivileged: nobody
- user.libwrap: nobody
- connecttimeout: 60
- iotimeout: 3600
- client pass {
- from: 0.0.0.0/0 port 1-65535 to: 0.0.0.0/0
- }
- # Block connection to private networks
- block {
- from: 0.0.0.0/0 to: 127.0.0.0/8
- log: connect error
- protocol: tcp udp
- }
- #block {
- # from: 0.0.0.0/0 to: 192.168.0.0/16
- # log: connect error
- # protocol: tcp udp
- #}
- # Allow connections to Telegram networks
- pass {
- from: 0.0.0.0/0 to: 91.108.4.0/22
- command: bind connect udpassociate
- log: error
- protocol: tcp udp
- }
- pass {
- from: 0.0.0.0/0 to: 91.108.56.0/22
- command: bind connect udpassociate
- log: error
- protocol: tcp udp
- }
- pass {
- from: 0.0.0.0/0 to: 109.239.140.0/24
- command: bind connect udpassociate
- log: error
- protocol: tcp udp
- }
- pass {
- from: 0.0.0.0/0 to: 149.154.164.0/22
- command: bind connect udpassociate
- log: error
- protocol: tcp udp
- }
- pass {
- from: 0.0.0.0/0 to: 149.154.168.0/21
- command: bind connect udpassociate
- log: error
- protocol: tcp udp
- }
- pass {
- from: 0.0.0.0/0 to: 149.154.163.0/22
- command: bind connect udpassociate
- log: error
- protocol: tcp udp
- }
- pass {
- from: 0.0.0.0/0 to: 184.173.146.95/22
- command: bind connect udpassociate
- log: error
- protocol: tcp udp
- }
- pass {
- from: 0.0.0.0/0 to: 184.173.145.235/22
- command: bind connect udpassociate
- log: error
- protocol: tcp udp
- }
- pass {
- from: 0.0.0.0/0 to: 50.97.46.113/22
- command: bind connect udpassociate
- log: error
- protocol: tcp udp
- }
- pass {
- from: 0.0.0.0/0 to: 75.125.38.3/22
- command: bind connect udpassociate
- log: error
- protocol: tcp udp
- }
- pass {
- from: 0.0.0.0/0 to: 50.22.234.250/22
- command: bind connect udpassociate
- log: error
- protocol: tcp udp
- }
- pass {
- from: 0.0.0.0/0 to: 50.97.37.240/22
- command: bind connect udpassociate
- log: error
- protocol: tcp udp
- }
- pass {
- from: 0.0.0.0/0 to: 149.154.163.40/22
- command: bind connect udpassociate
- log: error
- protocol: tcp udp
- }
- pass {
- from: 0.0.0.0/0 to: 149.154.165.120/22
- command: bind connect udpassociate
- log: error
- protocol: tcp udp
- }
- pass {
- from: 0.0.0.0/0 to: 149.154.163.40/22
- command: bind connect udpassociate
- log: error
- protocol: tcp udp
- }
- pass {
- from: 0.0.0.0/0 to: 128.72.41.244/22
- command: bind connect udpassociate
- log: error
- protocol: tcp udp
- }
- pass {
- from: 0.0.0.0/0 to: 52.90.187.159/22
- command: bind connect udpassociate
- log: error
- protocol: tcp udp
- }
- pass {
- from: 0.0.0.0/0 to: 92.255.241.100/22
- command: bind connect udpassociate
- log: error
- protocol: tcp udp
- }
- # Block other connections
- block {
- from: 0.0.0.0/0 to: 0.0.0.0/0
- log: connect error
- }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement