nadoo / glider

glider is a forward proxy with multiple protocols support, and also a dns/dhcp server with ipset management features(like dnsmasq).
GNU General Public License v3.0
3.17k stars 433 forks source link

How to prevent glider server from accessing private ip address? #347

Closed quaggalinux closed 1 year ago

quaggalinux commented 2 years ago

How to prevent glider server from accessing private ip address? Desired result is glider client can only use glider server to access internet but glider client can not use glider server access private ip address.

Thank you!

phantomcraft commented 2 years ago

I didn't understand your English very well, did you mean a way to prevent Glider server from reaching server private IP addresses such as 127.0.0.1, 10.0.0.0/8 etc?

You can bind to a specific network interface and prevent Glider server from serving local server addresses such as 127.0.0.1.

For example:

glider -verbose -interace eth0 socks5://0.0.0.0:1080

But if you need a more complete solution, there is 3proxy, you can serve HTTPS and SOCKS5 servers with it: https://github.com/3proxy/3proxy

You can block external IP addresses with following lines in configuration:

deny 10.0.0.0/8,127.0.0.0/8,192.168.0.0/16,172.16.0.0/12 *

PS: Here it's a list of all local addresses ranges: https://en.wikipedia.org/wiki/IPv4#Special-use_addresses

quaggalinux commented 2 years ago

@phantomcraft Thank you for your reply!

I am afraid the glider bind to a specific network interface solution doesn't fit my situation.

Because my glider server is in LAN and it use firewall's port forward to expose glider server listen port, so glider server's interface eth0 is assigned a private IP address like 10.0.0.100/24.

phantomcraft commented 2 years ago

There is a more simple solution, is to use iptables to filter the traffic coming to local addresses:

First, create a empty user:

useradd kek

Change its password

sudo -u kek passwd

Add some iptables rules (these will block access to private IPs):

iptables -A OUTPUT -m owner --uid-owner kek -d 127.0.0.0/8,10.0.0.0/8,192.168.0.0/16,172.16.0.0/12 -j DROP

Run glider as user "kek":

sudo -u kek -- glider -listen socks5://127.0.0.1:1080

quaggalinux commented 2 years ago

@phantomcraft This iptables solution would be great! Thank you so much!

phantomcraft commented 2 years ago

/\ If you need to block IPv6 local addresses also:

ip6tables -A OUTPUT -m owner --uid-owner kek -d ::1/128,::ffff:0:0/96,::ffff:0:0:0/96,64:ff9b::/96,64:ff9b:1::/48,fc00::/7,ff00::/8 -j DROP

The addresses above include loopback, translated/mapped addresses and LAN addresses

phantomcraft commented 2 years ago

@quaggalinux

@phantomcraft This iptables solution would be great! Thank you so much!

Indeed, and if you don't want to create a separate user just for running Glider, you can use cgroups:

Check if cgroups2 is mounted:

mount -t cgroup2

If it's not, mount it:

mkdir /sys/fs/cgroup/unified
mount -t cgroup2 -o rw,nosuid,nodev,noexec,relatime,nsdelegate cgroup2 /sys/fs/cgroup/unified

Create a cgroup:

mkdir /sys/fs/cgroup/unified/kek

Run Glider:

glider -listen socks5://127.0.0.1:1080

Move Glider PID to newly created cgroup:

echo $(pidof glider) >> /sys/fs/cgroup/unified/kek/cgroup.procs

And apply iptables rules:

iptables -A OUTPUT -m cgroup --path kek -d 127.0.0.0/8,10.0.0.0/8,192.168.0.0/16,172.16.0.0/12 -j DROP
ip6tables -A OUTPUT -m cgroup --path kek -d ::1/128,::ffff:0:0/96,::ffff:0:0:0/96,64:ff9b::/96,64:ff9b:1::/48,fc00::/7,ff00::/8 -j DROP

There is a little advantage of cgroup over matching uid, is that will block also ICMP and other kinds of protocols that have no UID.

quaggalinux commented 2 years ago

It seem like the cgroup solution would be better then the iptables solution.

Because cgroup solution will not block apps other than glider from reaching private IP address at same server.

ghost commented 2 years ago

You can also deny IP address ranges in the systemd .service file.

https://0pointer.net/blog/ip-accounting-and-access-lists-with-systemd.html https://www.freedesktop.org/software/systemd/man/systemd.resource-control.html#IPAddressAllow=ADDDRESS%5B/PREFIXLENGTH%5D%E2%80%A6

Here's an example service file:

[Unit]
Description=glider service
After=multi-user.target

[Install]
WantedBy=multi-user.target

[Service]
IPAddressDeny=localhost
IPAddressDeny=169.254.0.0/16
IPAddressDeny=192.168.0.0/16
IPAddressDeny=198.18.0.0/15
IPAddressDeny=172.16.0.0/12
IPAddressDeny=100.64.0.0/10
IPAddressDeny=10.0.0.0/8
ExecStart=<glider command line goes here>
quaggalinux commented 2 years ago

@bootrino Thank you! Your way is easier.

phantomcraft commented 2 years ago

@bootrino

I didn't know about this feature in systemd, thanks.

ghost commented 2 years ago

@phantomcraft systemd is amazing. You should read the docs - there's far more stuff in there that will blow your mind.

phantomcraft commented 2 years ago

@bootrino

I have been reading dudes saying bad things about systemd and that Devuan is a better Linux distribution, but systemd for me was one of the best ideas for managing a system.

I saved the links you posted above because I'm sure I will need someday in the future.

emptyteeth commented 2 years ago

I think glider rules can do that as well

forward=reject://
cidr=x.x.x.x/x
github-actions[bot] commented 1 year ago

This issue is stale because it has been open 90 days with no activity. Remove stale label or comment or this will be closed in 5 days.