Dante 阻止某些本地主机连接

Dante 阻止某些本地主机连接

我通过隧道连接到 Dante。它可以工作,但仍然阻止了我需要通过 SOCKS 代理运行的两个应用程序

Aug 28 14:20:24 (1377699624) danted[3519]: block(1): tcp/connect [: 127.0.0.1.51519 -> 127.0.0.1.30000
Aug 28 14:20:33 (1377699633) danted[3519]: block(1): tcp/connect [: 127.0.0.1.51527 -> 127.0.0.1.6112

这就是日志上的内容。我的配置是:

#Where are we going to log all those useful error messages?
logoutput: /var/log/dante.log

#What ip and port should Dante listen on,
# since I am only going to be using this via SSH 
#I only want to allow connections over the loopback
internal: 127.0.0.1 port = 1080

#Bind to the eth0 interface
external: eth0

#Since I am only accepting connections over the loopback, 
# the only people that COULD connect 
# would already be authenticated, 
# no need to have dante authenticate also
method: username none

#Which unprivileged user will Dante impersonate if need-be?
user.notprivileged: nobody

# Who can access this proxy?
# Accept only connections from the loopback, all ports
client pass {
  from: 127.0.0.0/8 port 1-65535 to: 0.0.0.0/0
}

#Block all other connection attempts
client block {
  from: 0.0.0.0/0 to: 0.0.0.0/0
  log: connect error
}

# Once connected, where can they go?
block {
  from: 0.0.0.0/0 to: 127.0.0.0/8
  log: connect error
}

#Pass from the internal IP to anywhere
pass {
  from: 192.168.0.0/16 to: 0.0.0.0/0
  protocol: tcp udp
}

#Pass from the loopback going anywhere
pass {
  from: 127.0.0.0/8 to: 0.0.0.0/0
  protocol: tcp udp
}

# Block everything else
block {
  from: 0.0.0.0/0 to: 0.0.0.0/0
  log: connect error
}

你知道这里发生了什么吗?我很困惑

答案1

你应该阅读文档

Dante 规则是按照首次匹配的原则进行处理的,所有地址都匹配 0.0.0.0/0。因此,请重写这些规则以执行您实际想要的操作,并将阻止规则保留在最后。

我们不知道它是什么工作,但我不得不假设它所工作的东西不在本地主机或没有被代理。

还要记住的是,当您通过代理访问 localhost 时,端点将是代理的环回接口,而不是您的。但是,由于您在访问和托管内容的同一台计算机上运行代理(出于某种原因),因此在这种特殊情况下这并不重要。但是,这就是阻止代理上的环回很常见的原因。

答案2

您正在阻止从任何 IP 到环回 IP 的流量。修复您的第一个“阻止”语句。

相关内容