On Thu, 28 Sep 2023 18:35:33 +0200
List Support <list@xxxxxxxxxx> wrote:
> Hello,
>
> ist it possible on *socks server side* to identify frames coming using
> socks5 ?
>
> Set up is
>
> , WorkStation browser set to socks5 localhost:1080 =>
> . ssh DynamicForward *:1080 to server =>
> . server with multiple ipv6 IPs and nftables will
> output to 80/443/8080 to Internet
>
> Idea being to snat ipv6 addr depending on visited host or source Workstation
Initially, I wondered whether matching against the sshd.service group on a systemd-based distribution might be useful.
table inet filter {
chain output {
type filter hook output priority filter; policy accept;
socket cgroupv2 level 2 "system.slice/sshd.service" tcp dport { 80, 443, 1080 } log
}
}
Unfortunately, it isn't. A probable reason for this is that sshd(8) implements privilege separation by forking off a new instance of sshd(8) in the name of the connecting user.
Running sshd(8) in a dedicated network namespace could make for an idea worth exploring, though I don't think that doing so would address all of your requirements.
--
Kerin Millar
