Turn any Linux computer into SOCKS5 proxy in one command

src: http://www.catonmat.net/blog/linux-socks5-proxy/
I thought I'd do a shorter article on catonmat this time. It goes hand in hand with my upcoming article series on "100% technical guide to anonymity" and it's much easier to write larger articles in smaller pieces. Then I can edit them together and produce the final article.
This article will be interesting for those who didn't know it already -- you can turn any Linux computer into a SOCKS5 (and SOCKS4) proxy in just one command:

ssh -N -D 0.0.0.0:1080 localhost

And it doesn't require root privileges. The  ssh  command starts up dynamic  -D  port forwarding on port 1080  and talks to the clients via SOCSK5 or SOCKS4 protocols, just like a regular SOCKS5 proxy would! The  -N  option makes sure ssh stays idle and doesn't execute any commands on localhost.
If you also wish the command to go into background as a daemon, then add  -f  option:

ssh -f -N -D 0.0.0.0:1080 localhost

To use it, just make your software use SOCKS5 proxy on your Linux computer's IP, port 1080, and you're done, all your requests now get proxied.
Access control can be implemented via  iptables . For example, to allow only people from the ip 1.2.3.4  to use the SOCKS5 proxy, add the following  iptables  rules:

iptables -A INPUT --src 1.2.3.4 -p tcp --dport 1080 -j ACCEPT
iptables -A INPUT -p tcp --dport 1080 -j REJECT

The first rule says, allow anyone from  1.2.3.4  to connect to port  1080 , and the other rule says, deny everyone else from connecting to port  1080 .
Surely, executing  iptables  requires root privileges. If you don't have root privileges, and you don't want to leave your proxy open (and you really don't want to do that), you'll have to use some kind of a simple TCP proxy wrapper to do access control.
Here, I wrote one in Perl. It's called  tcp-proxy.pl  and it uses  IO::Socket::INET  to abstract sockets, and  IO::Select  to do connection multiplexing.

#!/usr/bin/perl
# use warnings; use strict; use IO::Socket::INET; use IO::Select; my @allowed_ips = ('1.2.3.4', '5.6.7.8', '127.0.0.1', '192.168.1.2'); my $ioset = IO::Select->new; my %socket_map; my $debug = 1; sub new_conn { my ($host, $port) = @_; return IO::Socket::INET->new( PeerAddr => $host, PeerPort => $port ) || die "Unable to connect to $host:$port: $!"; } sub new_server { my ($host, $port) = @_; my $server = IO::Socket::INET->new( LocalAddr => $host, LocalPort => $port, ReuseAddr => 1, Listen => 100 ) || die "Unable to listen on $host:$port: $!"; } sub new_connection { my $server = shift; my $client = $server->accept; my $client_ip = client_ip($client); unless (client_allowed($client)) { print "Connection from $client_ip denied.
" if $debug; $client->close; return; } print "Connection from $client_ip accepted.
" if $debug; my $remote = new_conn('localhost', 55555); $ioset->add($client); $ioset->add($remote); $socket_map{$client} = $remote; $socket_map{$remote} = $client; } sub close_connection { my $client = shift; my $client_ip = client_ip($client); my $remote = $socket_map{$client}; $ioset->remove($client); $ioset->remove($remote); delete $socket_map{$client}; delete $socket_map{$remote}; $client->close;