SOCKS Porxy ServerのDanteをCentOS 7にインストールしてみました。
Dante – A free SOCKS server
https://www.inet.no/dante/index.html
RepoForgeにCentOS用Danteパッケージがあるようなので、これをインストールしてみます。
Welcome to RepoForge!
http://repoforge.org/
- RepoForgeレポジトリインストール
- Danteパッケージの確認
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 |
[root@host01 ~]# rpm -ivh http://pkgs.repoforge.org/rpmforge-release/rpmforge-release-0.5.3-1.el7.rf.x86_64.rpm http://pkgs.repoforge.org/rpmforge-release/rpmforge-release-0.5.3-1.el7.rf.x86_64.rpm を取得中 警告: /var/tmp/rpm-tmp.D7QeKb: ヘッダー V3 DSA/SHA1 Signature、鍵 ID 6b8d79e6: NOKEY 準備しています... ################################# [100%] 更新中 / インストール中... 1:rpmforge-release-0.5.3-1.el7.rf ################################# [100%] [root@host01 ~]# cat /etc/yum.repos.d/rpmforge.repo ### Name: RPMforge RPM Repository for RHEL 7 - dag ### URL: http://rpmforge.net/ [rpmforge] name = RHEL $releasever - RPMforge.net - dag baseurl = http://apt.sw.be/redhat/el7/en/$basearch/rpmforge mirrorlist = http://mirrorlist.repoforge.org/el7/mirrors-rpmforge #mirrorlist = file:///etc/yum.repos.d/mirrors-rpmforge enabled = 1 protect = 0 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-rpmforge-dag gpgcheck = 1 [rpmforge-extras] name = RHEL $releasever - RPMforge.net - extras baseurl = http://apt.sw.be/redhat/el7/en/$basearch/extras mirrorlist = http://mirrorlist.repoforge.org/el7/mirrors-rpmforge-extras #mirrorlist = file:///etc/yum.repos.d/mirrors-rpmforge-extras enabled = 0 protect = 0 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-rpmforge-dag gpgcheck = 1 [rpmforge-testing] name = RHEL $releasever - RPMforge.net - testing baseurl = http://apt.sw.be/redhat/el7/en/$basearch/testing mirrorlist = http://mirrorlist.repoforge.org/el7/mirrors-rpmforge-testing #mirrorlist = file:///etc/yum.repos.d/mirrors-rpmforge-testing enabled = 0 protect = 0 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-rpmforge-dag gpgcheck = 1 |
あれ!? CentOS 7にはパッケージが無いのか(^^;
確かに下記のサイトを見てもDanteは無いですね
http://apt.sw.be/redhat/el7/en/x86_64/rpmforge/RPMS/
今のところパッケージが存在するのはRHEL 6/CentOS 6までのようです。
1 2 3 4 5 6 7 8 9 |
[root@ns ~]# yum --enablerepo=rpmforge search all dante 読み込んだプラグイン:fastestmirror Loading mirror speeds from cached hostfile * base: ftp.iij.ad.jp * extras: ftp.iij.ad.jp * rpmforge: ftp.kddilabs.jp * updates: ftp.iij.ad.jp 警告: 一致するものが見つかりません: dante No matches found |
さて、このまま諦めるのは悔しいのでソースからインストールすることにしました。
- ソースのダウンロード
- 展開
- configure
- TCP Wrapper
- PAM認証
- configure
- make
- make install
- 環境設定ファイルの作成
- 起動スクリプトの作成
- 起動スクリプトの登録
- 自動起動の登録
- Danteの起動
- Firewallの設定
- 動作確認
1 2 3 4 |
[root@host01 ~]# curl -O https://www.inet.no/dante/files/dante-1.4.1.tar.gz % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 1254k 100 1254k 0 0 86978 0 0:00:14 0:00:14 --:--:-- 94231 |
1 2 3 4 5 |
[root@host01 ~]# tar xvfz dante-1.4.1.tar.gz dante-1.4.1/m4/libtool.m4 dante-1.4.1/m4/ltoptions.m4 dante-1.4.1/m4/ltsugar.m4 (snip) |
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 |
[root@host01 ~]# cd dante-1.4.1 [root@host01 dante-1.4.1]# ./configure --help `configure' configures this package to adapt to many kinds of systems. Usage: ./configure [OPTION]... [VAR=VALUE]... To assign environment variables (e.g., CC, CFLAGS...), specify them as VAR=VALUE. See below for descriptions of some of the useful variables. Defaults for the options are specified in brackets. Configuration: -h, --help display this help and exit --help=short display options specific to this package --help=recursive display the short help of all the included packages -V, --version display version information and exit -q, --quiet, --silent do not print `checking ...' messages --cache-file=FILE cache test results in FILE [disabled] -C, --config-cache alias for `--cache-file=config.cache' -n, --no-create do not create output files --srcdir=DIR find the sources in DIR [configure dir or `..'] Installation directories: --prefix=PREFIX install architecture-independent files in PREFIX [/usr/local] --exec-prefix=EPREFIX install architecture-dependent files in EPREFIX [PREFIX] By default, `make install' will install all the files in `/usr/local/bin', `/usr/local/lib' etc. You can specify an installation prefix other than `/usr/local' using `--prefix', for instance `--prefix=$HOME'. For better control, use the options below. Fine tuning of the installation directories: --bindir=DIR user executables [EPREFIX/bin] --sbindir=DIR system admin executables [EPREFIX/sbin] --libexecdir=DIR program executables [EPREFIX/libexec] --sysconfdir=DIR read-only single-machine data [PREFIX/etc] --sharedstatedir=DIR modifiable architecture-independent data [PREFIX/com] --localstatedir=DIR modifiable single-machine data [PREFIX/var] --libdir=DIR object code libraries [EPREFIX/lib] --includedir=DIR C header files [PREFIX/include] --oldincludedir=DIR C header files for non-gcc [/usr/include] --datarootdir=DIR read-only arch.-independent data root [PREFIX/share] --datadir=DIR read-only architecture-independent data [DATAROOTDIR] --infodir=DIR info documentation [DATAROOTDIR/info] --localedir=DIR locale-dependent data [DATAROOTDIR/locale] --mandir=DIR man documentation [DATAROOTDIR/man] --docdir=DIR documentation root [DATAROOTDIR/doc/PACKAGE] --htmldir=DIR html documentation [DOCDIR] --dvidir=DIR dvi documentation [DOCDIR] --pdfdir=DIR pdf documentation [DOCDIR] --psdir=DIR ps documentation [DOCDIR] Program names: --program-prefix=PREFIX prepend PREFIX to installed program names --program-suffix=SUFFIX append SUFFIX to installed program names --program-transform-name=PROGRAM run sed PROGRAM on installed program names System types: --build=BUILD configure for building on BUILD [guessed] --host=HOST cross-compile to build programs to run on HOST [BUILD] Optional Features: --disable-option-checking ignore unrecognized --enable/--with options --disable-FEATURE do not include FEATURE (same as --enable-FEATURE=no) --enable-FEATURE[=ARG] include FEATURE [ARG=yes] --enable-shared[=PKGS] build shared libraries [default=yes] --enable-static[=PKGS] build static libraries [default=yes] --enable-fast-install[=PKGS] optimize for fast installation [default=yes] --disable-dependency-tracking speeds up one-time build --enable-dependency-tracking do not reject slow dependency extractors --disable-libtool-lock avoid locking (might break parallel builds) --enable-silent-rules less verbose build output (undo: `make V=1') --disable-silent-rules verbose build output (undo: `make V=0') --enable-release build prerelease as full release --enable-debug compile with debugging support --enable-livedebug enable low-overhead debugging mode --enable-warnings show compilation warnings --enable-diagnostic enable diagnostic --enable-profiling compile with profiling support in server --enable-coverage compile with coverage --enable-linting enable lint --disable-largefile omit support for large files --disable-client disable compilation of client library --disable-server disable compilation of server --enable-drt-fallback enable direct route fallback in client [default=disabl ed] --disable-preload disable preloading in server and client --disable-clientdl disable support for preloading in the client --disable-serverdl disable support for preloading in the server --disable-pidfile disable server pidfile creation --disable-libwrap deprecated, use --without-libwrap --enable-libcfail testing option, enable unreliable libc [default=disabl ed] Optional Packages: --with-PACKAGE[=ARG] use PACKAGE [ARG=yes] --without-PACKAGE do not use PACKAGE (same as --with-PACKAGE=no) --with-pic[=PKGS] try to use only PIC/non-PIC objects [default=use both] --with-gnu-ld assume the C compiler uses GNU ld [default=no] --with-sysroot=DIR Search for dependent libraries within DIR (or the compiler's sysroot if not specified). --without-glibc-secure disable libc_enable_secure check [default=detect] --with-socks-conf=FILE change location of socks client configuration file --with-sockd-conf=FILE change location of socks server configuration file --without-bsdauth disable bsdauth support [default=detect] --without-full-env restrictive environment variable usage [default=with] --with-libc=NAME manually set name of c library if necessary --with-gssapi-path=PATH specify gssapi path --without-gssapi disable gssapi support --with-krb5-config=PATH specify path to krb5-config [default=detect] --without-krb5 disable kerberos 5 support [default=detect] --with-krb5-path=PATH specify kerberos 5 path [default=$krb5dir] --without-sasl disable sasl support [default=detect] --with-sasl-path=PATH specify sasl path [default=$sasldir] --without-ldap disable ldap support [default=detect] --with-ldap-path=PATH specify ldap path [default=$ldapdir] --without-upnp disable upnp support [default=detect] --with-pidfile=FILE change location of server pidfile --with-iomax=NUMBER change number of clients per io process --with-negmax=NUMBER change number of clients per negotiate process --with-bufsize=NUMBER change size of data buffers --without-libwrap never use libwrap, even if it is available --without-pam disable pam support [default=detect] Some influential environment variables: CC C compiler command CFLAGS C compiler flags LDFLAGS linker flags, e.g. -L<lib dir> if you have libraries in a nonstandard directory <lib dir> LIBS libraries to pass to the linker, e.g. -l<library> CPPFLAGS (Objective) C/C++ preprocessor flags, e.g. -I<include dir> if you have headers in a nonstandard directory <include dir> CPP C preprocessor YACC The `Yet Another Compiler Compiler' implementation to use. Defaults to the first program found out of: `bison -y', `byacc', `yacc'. YFLAGS The list of arguments that will be passed by default to $YACC. This script will default YFLAGS to the empty string to avoid a default value of `-d' given by some make applications. Use these variables to override the choices made by `configure' or to help it to find libraries and programs with nonstandard names/locations. Report bugs to the package provider. [root@host01 dante-1.4.1]# ./configure Configuring Dante 1.4.1: checking for a BSD-compatible install... /usr/bin/install -c checking whether build environment is sane... yes (snip) Configure status: Client: Enabled Server: Enabled Preloading: Enabled Libwrap: Disabled, tcpd.h missing BSD Auth: Disabled, usable bsd_auth.h not found PAM: Disabled, security/pam_appl.h missing GSSAPI: Not found/disabled KRB5: Not found/disabled SASL: Not found/disabled UPNP: Not found/disabled Compatability: issetugid setproctitle strlcpy strvis Modules: redirect: Not found bandwidth: Not found ldap: Not found |
TCP WrapperとPAM認証が無効になっているので取り敢えず導入しておきます。
1 2 3 4 5 6 |
[root@host01 dante-1.4.1]# yum -y install tcp_wrappers-devel (snip) インストール: tcp_wrappers-devel.x86_64 0:7.6-77.el7 完了しました! |
1 2 3 4 5 6 |
[root@host01 dante-1.4.1]# yum -y install pam-devel (snip) インストール: pam-devel.x86_64 0:1.1.8-12.el7 完了しました! |
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 |
[root@host01 dante-1.4.1]# ./configure Configuring Dante 1.4.1: checking for a BSD-compatible install... /usr/bin/install -c (snip) Configure status: Client: Enabled Server: Enabled Preloading: Enabled Libwrap: Enabled BSD Auth: Disabled, usable bsd_auth.h not found PAM: Enabled GSSAPI: Not found/disabled KRB5: Not found/disabled SASL: Not found/disabled UPNP: Not found/disabled Compatability: issetugid setproctitle strlcpy strvis Modules: redirect: Not found bandwidth: Not found ldap: Not found |
1 2 3 4 5 6 7 |
[root@host01 dante-1.4.1]# make Making all in include make[1]: ディレクトリ `/root/dante-1.4.1/include' に入ります make all-am (snip) make[1]: `all-am' に対して行うべき事はありません. make[1]: ディレクトリ `/root/dante-1.4.1' から出ます |
1 2 3 4 5 6 7 |
[root@host01 dante-1.4.1]# make install Making install in include make[1]: ディレクトリ `/root/dante-1.4.1/include' に入ります make[2]: ディレクトリ `/root/dante-1.4.1/include' に入ります (snip) make[2]: ディレクトリ `/root/dante-1.4.1' から出ます make[1]: ディレクトリ `/root/dante-1.4.1' から出ます |
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 |
[root@host01 dante-1.4.1]# vi /etc/sockd.conf [root@host01 ~]# cat /etc/sockd.conf internal: eno16777736 port = 1080 external: eno16777736 user.privileged: root user.unprivileged: nobody socksmethod: none errorlog: /var/log/sockd.errlog logoutput: /var/log/sockd.log # LAN client pass { from: 192.168.1.0/24 to: 0.0.0.0/0 log: error connect # disconnect } # allow connect from anywhere as long as client was authed previously socks pass { from: 0.0.0.0/0 to: 0.0.0.0/0 command: connect log: error connect # disconnect } |
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 |
[root@host01 dante-1.4.1]# vi /etc/init.d/sockd [root@host01 ~]# cat /etc/init.d/sockd #!/bin/sh ### BEGIN INIT INFO # Provides: sockd # Required-Start: $remote_fs $syslog # Required-Stop: $remote_fs $syslog # Default-Start: 2 3 4 5 # Default-Stop: 0 1 6 # Short-Description: Start the dante SOCKS server. # Description: SOCKS (v4 and v5) proxy server daemon (sockd). # This server allows clients to connect to it and # request proxying of TCP or UDP network traffic # with extensive configuration possibilities. ### END INIT INFO PID="/var/run/sockd/sockd.pid" CONFIG="/etc/sockd.conf" # Source function library. if [ -f /etc/init.d/functions ] ; then . /etc/init.d/functions elif [ -f /etc/rc.d/init.d/functions ] ; then . /etc/rc.d/init.d/functions else exit 1 fi # Avoid using root’s TMPDIR unset TMPDIR # Source networking configuration. . /etc/sysconfig/network # Check that networking is up. [ ${NETWORKING} = "no" ] && exit 1 # Check that sockd.conf exists. [ -f ${CONFIG} ] || exit 6 RETVAL=0 OPTIONS="-D -p ${PID} -f ${CONFIG}" start() { KIND="SOCKD" echo -n $"Starting $KIND services: " /usr/local/sbin/sockd ${OPTIONS} RETVAL=$? echo [ $RETVAL -eq 0 ] && touch /var/lock/subsys/sockd || \ RETVAL=1 return $RETVAL } stop() { KIND="SOCKD" echo -n $"Shutting down $KIND services: " killproc sockd RETVAL=$? echo [ $RETVAL -eq 0 ] && rm -f /var/lock/subsys/sockd return $RETVAL } restart() { stop start } rhstatus() { status -l sockd sockd return $? } # Allow status as non-root. if [ "$1" = status ]; then rhstatus exit $? fi case "$1" in start) start ;; stop) stop ;; restart) restart ;; status) rhstatus ;; condrestart) [ -f /var/lock/subsys/sockd ] && restart || : ;; *) echo $"Usage: $0 {start|stop|restart|status|condrestart}" exit 2 esac exit 0 |
なんか起動スクリプトにエラーが出てると思ったら/etc/sysconfig/networkが空なんですね。このファイルは使われなくなったのかな。
1 |
[ ${NETWORKING} = "no" ] && exit 1 |
を削除してもいいのだけど、取り敢えず/etc/sysconfig/networkに下記を追加しています。
1 |
NETWORKING=yes |
1 |
[root@host01 dante-1.4.1]# chkconfig --add sockd |
1 2 3 4 5 6 7 8 9 10 11 12 |
[root@host01 dante-1.4.1]# chkconfig sockd on [root@host01 dante-1.4.1]# chkconfig --list 注記: この出力は SysV サービスのみであり、ネイティブな systemd のサービスは含ま れていません。 systemd services. SysV 設定のデータはネイティブな systemd の設定によって上 書きされます。 systemd サービスを一覧表示するには 'systemctl list-unit-files' を使用して ください。 特定のターゲットにおいて有効化されているサービスを確認するには、 'systemctl list-dependencies [target]' 。 netconsole 0:off 1:off 2:off 3:off 4:off 5:off 6:off network 0:off 1:off 2:on 3:on 4:on 5:on 6:off sockd 0:off 1:off 2:on 3:on 4:on 5:on 6:off |
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 |
[root@host01 ~]# /etc/init.d/sockd start Starting sockd (via systemctl): [ OK ] [root@host01 ~]# /etc/init.d/sockd status yes sockd.service - LSB: Start the dante SOCKS server. Loaded: loaded (/etc/rc.d/init.d/sockd) Active: active (running) since 月 2015-07-26 09:27:19 JST; 6s ago Process: 86839 ExecStop=/etc/rc.d/init.d/sockd stop (code=exited, status=0/SUCCESS) Process: 86854 ExecStart=/etc/rc.d/init.d/sockd start (code=exited, status=0/SUCCESS) CGroup: /system.slice/sockd.service tq86856 /usr/local/sbin/sockd -D -p /var/run/sockd/sockd.pid -f /e... tq86858 sockd: monitor-child tq86859 sockd: negotiate-child: 0/96 tq86860 sockd: request-child: 0/1 tq86861 sockd: request-child: 0/1 tq86862 sockd: request-child: 0/1 tq86863 sockd: request-child: 0/1 tq86864 sockd: request-child: 0/1 tq86865 sockd: request-child: 0/1 tq86866 sockd: request-child: 0/1 tq86867 sockd: request-child: 0/1 tq86868 sockd: request-child: 0/1 tq86869 sockd: request-child: 0/1 tq86870 sockd: request-child: 0/1 tq86871 sockd: request-child: 0/1 tq86872 sockd: request-child: 0/1 tq86873 sockd: request-child: 0/1 tq86874 sockd: request-child: 0/1 tq86875 sockd: request-child: 0/1 mq86876 sockd: io-child: 0/32 (0 in progress) 7月 26 09:27:19 host01.rootlinks.net sockd[86854]: yes 7月 26 09:27:19 host01.rootlinks.net sockd[86854]: Starting SOCKD services: 7月 26 09:27:19 host01.rootlinks.net systemd[1]: Started LSB: Start the dan... Hint: Some lines were ellipsized, use -l to show in full. |
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 |
[root@host01 dante-1.4.1]# firewall-cmd --list-all public (default, active) interfaces: eno16777736 sources: services: dhcpv6-client ssh ports: masquerade: no forward-ports: icmp-blocks: rich rules: [root@host01 dante-1.4.1]# firewall-cmd --permanent --zone=public --add-rich-rule="rule family="ipv4" source address="192.168.1.0/24" port protocol="tcp" port="1080" accept" success [root@host01 dante-1.4.1]# firewall-cmd --reload success [root@host01 dante-1.4.1]# firewall-cmd --list-all public (default, active) interfaces: eno16777736 sources: services: dhcpv6-client ssh ports: masquerade: no forward-ports: icmp-blocks: rich rules: rule family="ipv4" source address="192.168.1.0/24" port port="1080" protocol="tcp" accept |
動作確認を行います。手っ取り早くInternet ExplorerでSOCKSプロキシを設定します。
これでWeb閲覧ができればOKです。
残り作業としてはlogrotateがありますが省略(^^;
最近の老眼SEは楽をすることばかり考えていましたが、たまにはソースからインストールするのも悪く無いですね(笑)
【参考サイト】
Install a SOCKS5 server (Dante) on Debian Wheezy
https://github.com/weheartwebsites/SOCKS5/wiki/Install-a-SOCKS5-server-%28Dante%29-on-Debian-Wheezy