Danted的使用方法

最近发现在宿舍的时候，通过电信提供的校园宽带，可以访问到校园网内的主机。虽然每次从电信的DHCP拿到的IP都不一样，但是无论哪种情况，都是可以正常访问192.168.X.X这样的地址，而这样的地址正是校园网的IP地址。目测应该是一个VPN，通过这个VPN就可以访问校园网的其他资源，比如图书馆啦，财务啦，后勤啦啥的。

不过电信的这个免费的宽带连接只有10/100Mbps，而且其实主要是提供给闪讯用户使用的，刚才说的校园网功能其实都是附送而已。平常通过一个PPPoE的拨号连接，使用一个公共的User/Passwd，即可登录进电信的网络，闪讯用户可以在此下载闪讯专用客户端（因为不能直接使用闪讯账号进行PPPoE拨号），或者完成闪讯账号充值等任务。闪讯服务每个月48元，服务破收费贵，所以我是没有的。

不过既然可以访问校园网，那肯定也可以访问实验室的边界路由器了。实验室LAN的边界路由是用一个旧的Server装了Ubuntu搭起来的。出于安全考虑，在这个Server上做了一个NAT，而且因为只有向外访问的需求，所以只作了SNAT。首先ping通了服务器IP，然后使用SSH连进了服务器（后来发现这也是个隐患，应该拒绝所有来自外部端口的对Server的Telnet和SSH连接），在iptables里重新写了一条DNAT到自己的主机，再ping了一下，发现也通了。因为室友使用的是校园网的固定IP，所以他在宿舍都是通过mstsc来远程访问自己的主机的，而且还能使用自己的主机上网，所以我开始也只是想到了远程到自己的主机上，再做其他操作。

不过后来发现，使用RDP来完成的主要操作，其实还是上网，而且在这个10/100Mbps的带宽上使用RDP，简直就是放幻灯片。思来想去，决定还是使用代理服务器比较好。一来可以直接上网，二来不做DNAT的话，对LAN里的主机也更加的安全。

首先把DNAT砍了，然后开始做代理。代理服务主要使用danted这个工具来实现，下载安装的话使用apt-get即可。接下来就是配置了，这边贴一个配置文件danted.conf。

#
# A sample danted.conf
#
#
# The configfile is divided into three parts; 
#    1) serversettings
#    2) rules
#    3) routes
#
# The recommended order is:
#   Serversettings:
#               logoutput
#               internal
#               external
#               method
#               clientmethod
#               users
#               compatibility
#               extension
#               connecttimeout
#               iotimeout
#		srchost
#
#  Rules:
#		client block/pass
#		from to
#		libwrap
#		log
#
#     block/pass
#		from to
#		method
#		command
#		libwrap
#		log
#		protocol
#		proxyprotocol
#
#  Routes: 

# the server will log both via syslog, to stdout and to /var/log/lotsoflogs
#logoutput: syslog stdout /var/log/lotsoflogs
logoutput: /var/log/sockd.log

# The server will bind to the address 10.1.1.1, port 1080 and will only
# accept connections going to that address.
# Alternatively, the interface name can be used instead of the address.
internal: 192.168.152.1 port = 6070

# all outgoing connections from the server will use the IP address
external: 192.168.152.1

# list over acceptable methods, order of preference.
# A method not set here will never be selected.
#
# If the method field is not set in a rule, the global
# method is filled in for that rule.
#

# methods for socks-rules.
method: username #rfc931

# methods for client-rules.
clientmethod: none

#or if you want to allow rfc931 (ident) too
#method: username rfc931 none

#or for PAM authentification
#method: pam

#
# An important section, pay attention.
#

# when doing something that can require privilege, it will use the
# userid:
#user.privileged: root

# when running as usual, it will use the unprivileged userid of:
user.notprivileged: proxyuser

# If you compiled with libwrap support, what userid should it use
# when executing your libwrap commands?  "libwrap".
user.libwrap: nobody


#
# some options to help clients with compatibility:
#

# when a client connection comes in the socksserver will try to use
# the same port as the client is using, when the socksserver
# goes out on the clients behalf (external: IP address).
# If this option is set, Dante will try to do it for reserved ports aswell.
# This will usually require user.privileged to be set to "root".
compatibility: sameport

# If you are using the bind extension and have trouble running servers
# via the server, you might try setting this.  The consequences of it
# are unknown.
compatibility: reuseaddr

#
# The Dante server supports some extensions to the socks protocol.
# These require that the socks client implements the same extension and
# can be enabled using the "extension" keyword.
#
# enable the bind extension.
extension: bind


#
#
# misc options.
#

# how many seconds can pass from when a client connects til it has
# sent us it's request?  Adjust according to your network performance
# and methods supported.
connecttimeout: 30   # on a lan, this should be enough if method is "none".

# how many seconds can the client and it's peer idle without sending
# any data before we dump it?  Unless you disable tcp keep-alive for
# some reason, it's probably best to set this to 0, which is
# "forever".
iotimeout: 1800 # or perhaps 86400, for a day.

# do you want to accept connections from addresses without
# dns info?  what about addresses having a mismatch in dnsinfo?
#srchost: nounknown nomismatch

#
# The actual rules.  There are two kinds and they work at different levels.
#
# The rules prefixed with "client" are checked first and say who is allowed
# and who is not allowed to speak/connect to the server.  I.e the
# ip range containing possibly valid clients.
# It is especially important that these only use IP addresses, not hostnames,
# for security reasons.
#
# The rules that do not have a "client" prefix are checked later, when the
# client has sent its request and are used to evaluate the actual
# request.
#
# The "to:" in the "client" context gives the address the connection
# is accepted on, i.e the address the socksserver is listening on, or
# just "0.0.0.0/0" for any address the server is listening on.
#
# The "to:" in the non-"client" context gives the destination of the clients
# socksrequest.
#
# "from:" is the source address in both contexts.
#


# the "client" rules.  All our clients come from the net 10.0.0.0/8.
#

# Allow our clients, also provides an example of the port range command.
# Cilent from dormitory
client pass {
	from: 0.0.0.0/0 port 1-65535 to: 0.0.0.0/0
#	method: rfc931 # match all idented users that also are in passwordfile
}

# This is identical to above, but allows clients without a rfc931 (ident)
# too.  In practise this means the socksserver will try to get a rfc931
# reply first (the above rule), if that fails, it tries this rule.
#client pass {
#	from: 10.0.0.0/8 port 1-65535 to: 0.0.0.0/0
#}


# drop everyone else as soon as we can and log the connect, they are not
# on our net and have no business connecting to us.  This is the default
# but if you give the rule yourself, you can specify details.
#client block {
#	from: 0.0.0.0/0 to: 0.0.0.0/0
#	log: connect error
#}


# the rules controlling what clients are allowed what requests
#

# you probably don't want people connecting to loopback addresses,
# who knows what could happen then.
#block {
#	from: 0.0.0.0/0 to: 127.0.0.0/8
#	log: connect error
#}

# the people at the 172.16.0.0/12 are bad, no one should talk to them.
# log the connect request and also provide an example on how to
# interact with libwrap.
#block {
#	from: 0.0.0.0/0 to: 172.16.0.0/12
#	libwrap: spawn finger @%a
#	log: connect error
#}

# unless you need it, you could block any bind requests.
#block {
#	from: 0.0.0.0/0 to: 0.0.0.0/0
#	command: bind
#	log: connect error
#}

# or you might want to allow it, for instance "active" ftp uses it.
# Note that a "bindreply" command must also be allowed, it
# should usually by from "0.0.0.0/0", i.e if a client of yours
# has permission to bind, it will also have permission to accept
# the reply from anywhere.
#pass {
#	from: 10.0.0.0/8 to: 0.0.0.0/0
#	command: bind
#	log: connect error
#}

# some connections expect some sort of "reply", this might be
# the reply to a bind request or it may be the reply to a
# udppacket, since udp is packetbased.
# Note that nothing is done to verify that it's a "genuine" reply,
# that is in general not possible anyway.  The below will allow
# all "replies" in to your clients at the 10.0.0.0/8 net.
#pass {
#	from: 0.0.0.0/0 to: 10.0.0.0/8
#	command: bindreply udpreply
#	log: connect error
#}


# pass any http connects to the example.com domain if they
# authenticate with username.
# This matches "example.com" itself and everything ending in ".example.com".
#pass {
#	from: 10.0.0.0/8 to: .example.com port = http
#	log: connect error
#	method: username
#}




# block any other http connects to the example.com domain.
#block {
#	from: 0.0.0.0/0 to: .example.com port = http
#	log: connect error
#}

# everyone from our internal network, 10.0.0.0/8 is allowed to use
# tcp and udp for everything else.
pass {
	from: 0.0.0.0/0 to: 0.0.0.0/0
	protocol: tcp udp
}

# last line, block everyone else.  This is the default but if you provide
# one  yourself you can specify your own logging/actions
#block {
#	from: 0.0.0.0/0 to: 0.0.0.0/0
#	log: connect error
#}

# route all http connects via an upstream socks server, aka "server-chaining".
#route {
# from: 10.0.0.0/8 to: 0.0.0.0/0 port = http via: socks.example.net port = socks
#}

这个配置，基本就是允许所有类型的流量通过了。至于用户，只设定了一个notprivileged的user（通过user.notpriviledge设定），这个用户必须在linux的用户里创建，密码也是用户的linux密码。另外记得手动创建log文件的目录。

最后就是danted的启动了。

# /etc/init.d/danted start

OK，从此过上了使用代理服务器免费上网的日子。另外推荐一款windows平台的代理软件叫proxifier，代理路上的好伴侣啊。

后记：后来用这个服务器上的代理服务的人太多了，估计电信一看连接数不对，给掐了。主要表现就是ping的通校园网其他主机，但是ping不通实验室的边界路由了。no zuo no die，下次搭个私房的代理偷偷用吧。