Closed quaggalinux closed 1 year ago
I didn't understand your English very well, did you mean a way to prevent Glider server from reaching server private IP addresses such as 127.0.0.1, 10.0.0.0/8 etc?
You can bind to a specific network interface and prevent Glider server from serving local server addresses such as 127.0.0.1.
For example:
glider -verbose -interace eth0 socks5://0.0.0.0:1080
But if you need a more complete solution, there is 3proxy, you can serve HTTPS and SOCKS5 servers with it: https://github.com/3proxy/3proxy
You can block external IP addresses with following lines in configuration:
deny 10.0.0.0/8,127.0.0.0/8,192.168.0.0/16,172.16.0.0/12 *
PS: Here it's a list of all local addresses ranges: https://en.wikipedia.org/wiki/IPv4#Special-use_addresses
@phantomcraft Thank you for your reply!
I am afraid the glider bind to a specific network interface solution doesn't fit my situation.
Because my glider server is in LAN and it use firewall's port forward to expose glider server listen port, so glider server's interface eth0 is assigned a private IP address like 10.0.0.100/24.
There is a more simple solution, is to use iptables to filter the traffic coming to local addresses:
First, create a empty user:
useradd kek
Change its password
sudo -u kek passwd
Add some iptables rules (these will block access to private IPs):
iptables -A OUTPUT -m owner --uid-owner kek -d 127.0.0.0/8,10.0.0.0/8,192.168.0.0/16,172.16.0.0/12 -j DROP
Run glider as user "kek":
sudo -u kek -- glider -listen socks5://127.0.0.1:1080
@phantomcraft This iptables solution would be great! Thank you so much!
/\ If you need to block IPv6 local addresses also:
ip6tables -A OUTPUT -m owner --uid-owner kek -d ::1/128,::ffff:0:0/96,::ffff:0:0:0/96,64:ff9b::/96,64:ff9b:1::/48,fc00::/7,ff00::/8 -j DROP
The addresses above include loopback, translated/mapped addresses and LAN addresses
@quaggalinux
@phantomcraft This iptables solution would be great! Thank you so much!
Indeed, and if you don't want to create a separate user just for running Glider, you can use cgroups:
Check if cgroups2 is mounted:
mount -t cgroup2
If it's not, mount it:
mkdir /sys/fs/cgroup/unified
mount -t cgroup2 -o rw,nosuid,nodev,noexec,relatime,nsdelegate cgroup2 /sys/fs/cgroup/unified
Create a cgroup:
mkdir /sys/fs/cgroup/unified/kek
Run Glider:
glider -listen socks5://127.0.0.1:1080
Move Glider PID to newly created cgroup:
echo $(pidof glider) >> /sys/fs/cgroup/unified/kek/cgroup.procs
And apply iptables rules:
iptables -A OUTPUT -m cgroup --path kek -d 127.0.0.0/8,10.0.0.0/8,192.168.0.0/16,172.16.0.0/12 -j DROP
ip6tables -A OUTPUT -m cgroup --path kek -d ::1/128,::ffff:0:0/96,::ffff:0:0:0/96,64:ff9b::/96,64:ff9b:1::/48,fc00::/7,ff00::/8 -j DROP
There is a little advantage of cgroup over matching uid, is that will block also ICMP and other kinds of protocols that have no UID.
It seem like the cgroup solution would be better then the iptables solution.
Because cgroup solution will not block apps other than glider from reaching private IP address at same server.
You can also deny IP address ranges in the systemd .service file.
https://0pointer.net/blog/ip-accounting-and-access-lists-with-systemd.html https://www.freedesktop.org/software/systemd/man/systemd.resource-control.html#IPAddressAllow=ADDDRESS%5B/PREFIXLENGTH%5D%E2%80%A6
Here's an example service file:
[Unit]
Description=glider service
After=multi-user.target
[Install]
WantedBy=multi-user.target
[Service]
IPAddressDeny=localhost
IPAddressDeny=169.254.0.0/16
IPAddressDeny=192.168.0.0/16
IPAddressDeny=198.18.0.0/15
IPAddressDeny=172.16.0.0/12
IPAddressDeny=100.64.0.0/10
IPAddressDeny=10.0.0.0/8
ExecStart=<glider command line goes here>
@bootrino Thank you! Your way is easier.
@bootrino
I didn't know about this feature in systemd, thanks.
@phantomcraft systemd is amazing. You should read the docs - there's far more stuff in there that will blow your mind.
@bootrino
I have been reading dudes saying bad things about systemd and that Devuan is a better Linux distribution, but systemd for me was one of the best ideas for managing a system.
I saved the links you posted above because I'm sure I will need someday in the future.
I think glider rules can do that as well
forward=reject://
cidr=x.x.x.x/x
This issue is stale because it has been open 90 days with no activity. Remove stale label or comment or this will be closed in 5 days.
How to prevent glider server from accessing private ip address? Desired result is glider client can only use glider server to access internet but glider client can not use glider server access private ip address.
Thank you!