How to prevent glider server from accessing private ip address?

Question

How to prevent glider server from accessing private ip address?

quaggalinux opened this issue 2 years ago · comments

How to prevent glider server from accessing private ip address?
Desired result is glider client can only use glider server to access internet but glider client can not use glider server access private ip address.

Thank you!

phantomcraft · Answer 1 · Tue Oct 11 2022 02:46:19 GMT+0800 (China Standard Time)

I didn't understand your English very well, did you mean a way to prevent Glider server from reaching server private IP addresses such as 127.0.0.1, 10.0.0.0/8 etc?

You can bind to a specific network interface and prevent Glider server from serving local server addresses such as 127.0.0.1.

For example:

glider -verbose -interace eth0 socks5://0.0.0.0:1080

But if you need a more complete solution, there is 3proxy, you can serve HTTPS and SOCKS5 servers with it: https://github.com/3proxy/3proxy

You can block external IP addresses with following lines in configuration:

deny * * 10.0.0.0/8,127.0.0.0/8,192.168.0.0/16,172.16.0.0/12 *

PS: Here it's a list of all local addresses ranges: https://en.wikipedia.org/wiki/IPv4#Special-use_addresses

quaggalinux · Answer 2 · Tue Oct 11 2022 03:09:52 GMT+0800 (China Standard Time)

@phantomcraft Thank you for your reply!

I am afraid the glider bind to a specific network interface solution doesn't fit my situation.

Because my glider server is in LAN and it use firewall's port forward to expose glider server listen port, so glider server's interface eth0 is assigned a private IP address like 10.0.0.100/24.

phantomcraft · Answer 3 · Tue Oct 11 2022 03:23:55 GMT+0800 (China Standard Time)

There is a more simple solution, is to use iptables to filter the traffic coming to local addresses:

First, create a empty user:

useradd kek

Change its password

sudo -u kek passwd

Add some iptables rules (these will block access to private IPs):

iptables -A OUTPUT -m owner --uid-owner kek -d 127.0.0.0/8,10.0.0.0/8,192.168.0.0/16,172.16.0.0/12 -j DROP

Run glider as user "kek":

sudo -u kek -- glider -listen socks5://127.0.0.1:1080

quaggalinux · Answer 4 · Tue Oct 11 2022 03:38:38 GMT+0800 (China Standard Time)

@phantomcraft
This iptables solution would be great!
Thank you so much!

phantomcraft · Answer 5 · Tue Oct 11 2022 03:40:02 GMT+0800 (China Standard Time)

/\ If you need to block IPv6 local addresses also:

ip6tables -A OUTPUT -m owner --uid-owner kek -d ::1/128,::ffff:0:0/96,::ffff:0:0:0/96,64:ff9b::/96,64:ff9b:1::/48,fc00::/7,ff00::/8 -j DROP

The addresses above include loopback, translated/mapped addresses and LAN addresses

phantomcraft · Answer 6 · Tue Oct 11 2022 03:51:29 GMT+0800 (China Standard Time)

@quaggalinux

@phantomcraft This iptables solution would be great! Thank you so much!

Indeed, and if you don't want to create a separate user just for running Glider, you can use cgroups:

Check if cgroups2 is mounted:

mount -t cgroup2

If it's not, mount it:

mkdir /sys/fs/cgroup/unified
mount -t cgroup2 -o rw,nosuid,nodev,noexec,relatime,nsdelegate cgroup2 /sys/fs/cgroup/unified

Create a cgroup:

mkdir /sys/fs/cgroup/unified/kek

Run Glider:

glider -listen socks5://127.0.0.1:1080

Move Glider PID to newly created cgroup:

echo $(pidof glider) >> /sys/fs/cgroup/unified/kek/cgroup.procs

And apply iptables rules:

iptables -A OUTPUT -m cgroup --path kek -d 127.0.0.0/8,10.0.0.0/8,192.168.0.0/16,172.16.0.0/12 -j DROP
ip6tables -A OUTPUT -m cgroup --path kek -d ::1/128,::ffff:0:0/96,::ffff:0:0:0/96,64:ff9b::/96,64:ff9b:1::/48,fc00::/7,ff00::/8 -j DROP

There is a little advantage of cgroup over matching uid, is that will block also ICMP and other kinds of protocols that have no UID.

quaggalinux · Answer 7 · Tue Oct 11 2022 04:05:38 GMT+0800 (China Standard Time)

It seem like the cgroup solution would be better then the iptables solution.

Because cgroup solution will not block apps other than glider from reaching private IP address at same server.

bootrino · Answer 8 · Sat Oct 29 2022 05:03:47 GMT+0800 (China Standard Time)

You can also deny IP address ranges in the systemd .service file.

https://0pointer.net/blog/ip-accounting-and-access-lists-with-systemd.html
https://www.freedesktop.org/software/systemd/man/systemd.resource-control.html#IPAddressAllow=ADDDRESS%5B/PREFIXLENGTH%5D%E2%80%A6

Here's an example service file:

[Unit]
Description=glider service
After=multi-user.target

[Install]
WantedBy=multi-user.target

[Service]
IPAddressDeny=localhost
IPAddressDeny=169.254.0.0/16
IPAddressDeny=192.168.0.0/16
IPAddressDeny=198.18.0.0/15
IPAddressDeny=172.16.0.0/12
IPAddressDeny=100.64.0.0/10
IPAddressDeny=10.0.0.0/8
ExecStart=<glider command line goes here>

quaggalinux · Answer 9 · Sat Oct 29 2022 07:23:55 GMT+0800 (China Standard Time)

@bootrino Thank you!
Your way is easier.

phantomcraft · Answer 10 · Sat Oct 29 2022 09:14:35 GMT+0800 (China Standard Time)

@bootrino

I didn't know about this feature in systemd, thanks.

bootrino · Answer 11 · Sat Oct 29 2022 09:29:14 GMT+0800 (China Standard Time)

@phantomcraft systemd is amazing. You should read the docs - there's far more stuff in there that will blow your mind.

phantomcraft · Answer 12 · Sat Oct 29 2022 09:46:14 GMT+0800 (China Standard Time)

@bootrino

I have been reading dudes saying bad things about systemd and that Devuan is a better Linux distribution, but systemd for me was one of the best ideas for managing a system.

I saved the links you posted above because I'm sure I will need someday in the future.

emptyteeth · Answer 13 · Sat Oct 29 2022 09:55:35 GMT+0800 (China Standard Time)

I think glider rules can do that as well

forward=reject://
cidr=x.x.x.x/x

github-actions · Answer 14 · Fri Jan 27 2023 10:31:49 GMT+0800 (China Standard Time)

This issue is stale because it has been open 90 days with no activity. Remove stale label or comment or this will be closed in 5 days.