Dante sockd can't forward traffic through multiple virtual IPs

Question

I have configured Dante sockd to forward traffic through multiple IP interfaces. The config is basically this:

logoutput: /var/log/sockd.log
debug: 1
socksmethod: username none

internal: eth0 port = 60000
external: eth0
internal: eth0:0 port = 60000
external: eth0:0
internal: eth0:1 port = 60000
external: eth0:1
internal: eth0:2 port = 60000
external: eth0:2
...

external.rotation: same-same

client pass {

  from: 0.0.0.0/0 port 1-65535 to: 0.0.0.0/0

  socksmethod: username

}

socks pass {

from: 0.0.0.0/0 to: 0.0.0.0/0

socksmethod: username

protocol: tcp udp

}

With 'external.rotation = same.same' disabled traffic is passed through the server but only goes out of one address. When it's enabled, I get the following error using curl:

curl: (7) Can't complete SOCKS5 connection to x.x.x.x:80. (3)

and this error in the logs:

May 15 07:38:38 (1431689918.007569) sockd[4887]: info: block(1): tcp/accept ]: x.x.x.x.56066 y.y.y.y.60000: request was not performed due to error: could not get address to use on external side: using external.rotation = same-same, local address x.x.x.x was selected for forwarding from our local client x.x.x.x.56066 to target z.z.z.z.80, but that local address is not set on our external interface(s).  Configuration error in /etc/sockd.conf?

x.x.x.x is my ip address, y.y.y.y is the server side address and z.z.z.z is the destination address.

That suggests to me that the server expects to masquerade as my address but that it's not configured, which is correct as I want traffic to be seen as coming from the y.y.y.y address where there are over a hundred of them to choose from.

I can't find anything in the documentation that matches the error I'm seeing and I suspect that there is some kind of round robin config needed but I can't find that either. Has anyone made this work in this way?

Answer 1

The following worked for me with Dante 1.4.2 on CentOS 6.x 64bit, although I don't use authentication because I access Dante via SSH tunnels (my server's IPs are 1.1.1.1, 2.2.2.2 and 3.3.3.3):

logoutput: syslog stdout stderr /var/log/sockd.log
internal: eth0:0 port = 1080
internal: eth0:1 port = 1080
internal: eth0:2 port = 1080
external: eth0:0
external: eth0:1
external: eth0:2
external.rotation: same-same
user.privileged: root
user.unprivileged: sockd
#user.libwrap: sockd
clientmethod: none
socksmethod: none
client pass {
    from: 1.1.1.1/32 to: 0.0.0.0/0
    log: error # connect disconnect
}
client pass {
    from: 2.2.2.2/32 to: 0.0.0.0/0
    log: error # connect disconnect
}
client pass {
    from: 3.3.3.3/32 to: 0.0.0.0/0
    log: error # connect disconnect
}
socks pass {
    from: 0.0.0.0/0 to: 0.0.0.0/0
    command: bind connect udpassociate
    log: error # connect disconnect iooperation
}
socks pass {
    from: 0.0.0.0/0 to: 0.0.0.0/0
    command: bindreply udpreply
    log: error # connect disconnect iooperation
}

Then created three local tunnels from my client machine:

ssh -L 10801:1.1.1.1:1080 -L 10802:2.2.2.2:1080 -L 10803:3.3.3.3:1080 user@1.1.1.1

I think most of the problems I had with settings were down to permission issues (client pass and socks pass).

If you still have problems, you can try an alternative to Dante: 3Proxy.

You would configure 3proxy in this way:

nserver 8.8.8.8
auth none
daemon
socks -p1080 -i1.1.1.1 -e1.1.1.1
socks -p1080 -i2.2.2.2 -e2.2.2.2
socks -p1080 -i3.3.3.3 -e3.3.3.3
pidfile /var/run/3proxy.pid
log /dev/null

Hope this helps.

Answer 2

Have you tried enabling IP forwarding for your OS?

sysctl -w net.ipv4.ip_forward=1

or

echo 1 > /proc/sys/net/ipv4/ip_forward

More information @ http://linuxconfig.org/how-to-turn-on-off-ip-forwarding-in-linux