From 8ba1b9df640af875e5f3a3b17b6cf5e1b88ec8a5 Mon Sep 17 00:00:00 2001 From: BlueN Date: Thu, 10 Oct 2013 19:21:48 +0800 Subject: [PATCH 1/2] deny localhost and localnet access on server --- shadowsocks/server.py | 23 ++++++++++++++++++++--- 1 file changed, 20 insertions(+), 3 deletions(-) diff --git a/shadowsocks/server.py b/shadowsocks/server.py index eaf37a1..ff7d974 100755 --- a/shadowsocks/server.py +++ b/shadowsocks/server.py @@ -120,12 +120,19 @@ class Socks5Server(SocketServer.StreamRequestHandler): # Connection refused logging.warn(e) return + addr = remote.getpeername()[0] + if not ALLOW_LOCAL: + for ip in LOCAL_ADDR: + if addr.startswith(ip): + logging.warn('%s is denied.' % addr) + return + self.handle_tcp(sock, remote) except socket.error, e: logging.warn(e) def main(): - global SERVER, PORT, KEY, METHOD, IPv6 + global SERVER, PORT, KEY, METHOD, IPv6, ALLOW_LOCAL, LOCAL_ADDR logging.basicConfig(level=logging.DEBUG, format='%(asctime)s %(levelname)-8s %(message)s', @@ -142,9 +149,14 @@ def main(): KEY = None METHOD = None IPv6 = False + ALLOW_LOCAL = False + LOCAL_ADDR = ('127.', '10.', '169.254.', '172.16', '172.17', '172.18', + '172.19.', '172.20.', '172.21.', '172.22.', '172.23.', + '172.24.', '172.25.', '172.26.', '172.27.', '172.28.', + '172.29.', '172.30.', '172.31.', '192.168.', '::1') config_path = utils.find_config() - optlist, args = getopt.getopt(sys.argv[1:], 's:p:k:m:c:6') + optlist, args = getopt.getopt(sys.argv[1:], 's:p:k:m:c:6:l') for key, value in optlist: if key == '-c': config_path = value @@ -154,7 +166,7 @@ def main(): config = json.load(f) logging.info('loading config from %s' % config_path) - optlist, args = getopt.getopt(sys.argv[1:], 's:p:k:m:c:6') + optlist, args = getopt.getopt(sys.argv[1:], 's:p:k:m:c:6:l') for key, value in optlist: if key == '-p': config['server_port'] = int(value) @@ -166,11 +178,16 @@ def main(): config['method'] = value elif key == '-6': IPv6 = True + elif key == '-l': + ALLOW_LOCAL = True SERVER = config['server'] PORT = config['server_port'] KEY = config['password'] METHOD = config.get('method', None) + if 'allow_local' in config: + if config['allow_config']: + ALLOW_LOCAL = True if not KEY and not config_path: sys.exit('config not specified, please read https://github.com/clowwindy/shadowsocks') From f45bc99d927bafe9b8d32f966a2233f21b294ff3 Mon Sep 17 00:00:00 2001 From: BlueN Date: Thu, 10 Oct 2013 19:35:49 +0800 Subject: [PATCH 2/2] update README for allow_local --- README.md | 1 + README.rst | 1 + 2 files changed, 2 insertions(+) diff --git a/README.md b/README.md index 728f796..68a484c 100644 --- a/README.md +++ b/README.md @@ -41,6 +41,7 @@ Explanation of the fields: password a password used to encrypt transfer timeout in seconds method encryption method, "bf-cfb", "aes-256-cfb", "des-cfb", "rc4", etc. Default is table, which is not secure. "aes-256-cfb" is recommended + allow_local true if you need to proxy localhost or localnet (e.g. 192.168.1.2). `cd` into the directory of `config.json`. Run `ssserver` on your server. To run it in the background, run `nohup ssserver > log &`. diff --git a/README.rst b/README.rst index 8b32c51..6e3cd3b 100644 --- a/README.rst +++ b/README.rst @@ -48,6 +48,7 @@ Explanation of the fields: password a password used to encrypt transfer timeout in seconds method encryption method, "bf-cfb", "aes-256-cfb", "des-cfb", "rc4", etc. Default is table + allow_local true if you need to proxy localhost or localnet (e.g. 192.168.1.2). ``cd`` into the directory of ``config.json``. Run ``ssserver`` on your server. To run it in the background, run ``nohup ssserver > log &``.