Dante Module Documentation
Redirect Module
Description
The Redirect module gives control over both where client requests and replies will end up, and what addresses and port ranges the Dante server will use on behalf of the clients for outgoing connections.The module can be used to redirect client connections from one address to another, which can be useful in cases where clients should use a local web-proxy instead of communicating directly with external web servers.
It can also be used to restrict the port ranges used by the Dante server, which can be useful in cases where a firewall needs to know which port ranges the Dante SOCKS server will use.
Additionally, it can be used to make the IP-address the Dante server will use when connecting to a remote server be chosen based on the IP-address of each connecting client, or even the username, if username-based authentication is configured.
Syntax
The syntax of the redirect statement is as follows:redirect from: <address> to: <address>It is not necessary to specify both, but at least one of the from or to keywords is needed.
Here address can be an address in any format supported by Dante. See sockd.conf(5) for more information about this.
If the to address does not contain a port-specifier, the Dante server will use the same port as the original socks-request, where applicable. This also makes it possible to redirect all connections for one host to another, without having to specify one redirect statement for each port number.
Semantics
The redirect statement can be used in both client-rules or socks-rules. See sockd.conf(5) for more information about the different rule types. Note that a redirection set in a client-rule is not necessarily inherited by a later socks-rule. Whether it is or not depends on the command used in the socks-rule. For some commands, such as connect, inheritance makes sense, while for others, such as bind, this does not make sense, and there is no inheritance applied by the Dante server. The section listing the semantics of each redirect application lists the commands for which a redirection setting is inherited. The intent is that redirection will be inherited where it makes sense. The meaning of to and from varies depending on which SOCKS command the redirect statement applies to.The next section details the semantics of redirect, based on the command used (with the corresponding protocol in parenthesis).
bind (protocol: tcp)
from is the address when doing bind on behalf of a client.to is ignored. Redirection is not inherited from client-rules.
bindreply (protocol: tcp)
from is the address the client is told the bindreply connection is from.to is the address to send the bindreply connection to (only applicable if using the bind extension). Redirection is not inherited from client-rules.
connect (protocol: tcp)
from is the address to use on behalf of the client for making the connection.to is the address to connect the client to. The redirection from address is inherited from client-rules.
udpassociate (protocol: udp)
from is the address to use on behalf of the client for sending UDP packets.to is the address to send packets from the client to. The redirection from address is inherited from client-rules.
udpreply (protocol: udp)
from is the address to tell the client the reply is coming from.to is the address to send the reply to. Redirection is not inherited from client-rules.
Examples
This section shows several examples of how the redirect module can be used.Redirecting web-requests to a web proxy
The below rule redirects clients from the 10.0.0.0/24 network that want to connect to the http port of any address to the address squid.example.com, port 3128.
pass {
from: 10.0.0.0/24 to: 0.0.0.0/0 port = http
command: connect
redirect to: squid.example.com port = 3128
}
Limiting the port ranges used by the Dante server
The next rule makes the server limit itself to using ports above 32768 on the interface de1 when sending out packets on behalf of the clients on the 10.1.1.0/24 network.
pass {
from: 10.0.0.0/24 to: 0.0.0.0/0
redirect from: de1 port > 32768
}
Using different IP-addresses for different clients
The next two rules show how the Dante server could be instructed to use different IP-addresses for different clients.
# clients from the 10.1/16-net will be assigned IP-address 192.168.0.1
pass {
from: 10.1.0.0/16 to: 0.0.0.0/0
redirect from: 192.168.0.1/32
}
# clients from the 10.2/16-net will be assigned IP-address 192.168.0.2
pass {
from: 10.2.0.0/16 to: 0.0.0.0/0
redirect from: 192.168.0.2/32
}