Some GNU/Linux-distro come with a pre-installed package but I prefer the manual way, compile it from source. Download the latest sourcefile from their website and unpack it with

tar zxvf dante.tar.gz

Now move to the directory and run the configure script without options, afterwards run make, make check and make install :

cd dante
./configure
make
make check
su -
make install

This should give you no problesm. After the installation add a user and a group sockd to the system.

4. Configuration

I'm only going to cover a 'basic' installation. More information is provided on the Dante homepage.

Danta uses a configuration file, /etc/sockd.conf that mainly consists of two parts : the general settings and the rules-department. So open up /etc/sockd.conf with your favorite editor and add this :

 logoutput: /var/log/sockd/sockd
 internal: eth0 port = 1080
 external: eth1

 method: none username pam
 clientmethod: none

 user.libwrap: libwrap
 #user.privileged: sockd
 user.notprivileged: sockd

 connecttimeout: 30

logoutput will output all events to /var/log/sockd/sockd

internal and external set up where and how Danta will listen on the network-socket. You can use either the interface-name or the ip-address.

method and clientmethod define how authentication is handled.

As we've mentioned above, you need to add a user and group sockd to the system. Dante will run under the user specified by user.notprivileged.

With connecttimeout you define (in seconds) how quickly the connection is closed.

The second part of the config file is the rules-set. I'm not going to cover every rule. The examples below should make things clear(er).

 # Allow everyone from my LAN
 client pass {
    from: 192.168.0.0/24 port 1-65535 to: 0.0.0.0/0
    log: connect disconnect
  }

 # Block everyone else
 client block {
    from: 0.0.0.0/0 to: 0.0.0.0/0
    log: connect error
  }

 # Block everyone connection to lo
 block {
    from: 0.0.0.0/0 to: 127.0.0.0/8
    log: connect error
  }

 # Block subnet 172.16.0.0/32
 block {
    from: 0.0.0.0/0 to: 172.16.0.0/12
    log: connect error
  }


 # Allow replys to bind and incoming udo
 pass {
    from: 0.0.0.0/0 to: 192.168.0.0/24
    command: bindreply udpreply
    log: connect error
  }

 # Allow tcp and upd connections from our lan to everywhere
 pass {
    from: 192.168.0.0/24 to: 0.0.0.0/0
    protocol: tcp udp
    log: error
  }

 # Log all the rest
 block {
    from: 0.0.0.0/0 to: 0.0.0.0/0
    log: connect error
  }

5. Starting and stopping

When you install from source, there's no init-script provided. You can use the one below :

#!/bin/sh
 . /etc/rc.d/init.d/functions
 . /etc/sysconfig/network
 # Check that networking is up.  [ ${NETWORKING} = "no" ] && exit 0

 [ -f /usr/local/sbin/sockd ] || exit 0

 [ ! -f /etc/sockd.conf ] && exit 1
 SOCKD_CONF="-f /etc/sockd.conf"

 case "$1" in
   start)
    # Start daemons.
    echo -n "Starting sockd: "
    daemon /usr/local/sbin/sockd -D $SOCKD_CONF
    echo
    touch /var/lock/subsys/sockd
    ;;
   stop)
    # Stop daemons.
    echo -n "Shutting down sockd: "
    killproc sockd
    echo
    rm -f /var/lock/subsys/sockd
    ;;
   restart)
    $0 stop
    $0 start
    ;;
   status)
    status sockd
    ;;
   *)
   echo -n "Usage: sockd {start|stop|restart|status}\n"
   exit 1
  esac


  exit 0

6. Logrotation

After a while your socks-logs will get filled with connection attempts and errors. To keep them organised you should rotate them frequently. The built-in GNU/Linux logrotater can do the trick but eventually you will run into troubles with the file-locking. As an alternative you could use this script and add it to /etc/cron.weekly

 #!/bin/sh

 DAY=`date +%d-%B-%Y`

 cp /var/log/sockd/sockd /var/log/sockd/sockd.${DAY}
 echo > /var/log/sockd/sockd

Copyleft 2002-2007 - cudeso.bewebmaster@cudeso.be	top
Fortune : Q: How do you stop an elephant from charging? A: Take away his credit cards.

Dante

Contents