newspaint

Documenting Problems That Were Difficult To Find The Answer To

Setting Up A Socks Proxy Tunnelling Through Multiple SSH Servers

In this example we will connect:

 +-----------+             +---------+
 | localhost |             | server1 |
 |>1234      |-----> 11000 |>11000   |
 +-----------+             +---------+
                             |
                             V
                           12000
 +-----------+             +---------+
 | server3   |             |>12000   |
 |     SOCKS<| SOCKS <---- |server2  |
 +-----------+             +---------+
   |
   V
 INTERNET

…using this command…

  ssh -A -t -L1234:localhost:11000 me@server1 \
    'ssh -A -t -L11000:localhost:12000 me@server2 \
      ''ssh -A -t -D12000 me@server3'' \
    '

Note that you may want to add -v and -p <port_num> flags for verbose and port numbers as required.

This example sets up a localhost socks proxy on port 1234. And this will result in all traffic going to that proxy to come out at the Internet from server3.

Actually – the quoting isn’t strictly necessary. The above command could also be expressed as:

  ssh -A -t -L1234:localhost:11000 me@server1 \
    ssh -A -t -L11000:localhost:12000 me@server2 \
      ssh -A -t -D12000 me@server3

Some Assistance To Understanding

We know that -D port_num means that a SOCKS proxy will be listening on port_num on the local host and that traffic will be pushed through the SSH tunnel to the Internet from the connected-to SSH server.

In order to tunnel a port through to the end SSH server attached to the Internet we need to use a point-to-point port-forwarding tunnel through the intermediate SSH hosts. This is where the -L command comes in. By saying -L localport:endhost:endport we are saying that any TCP connections made to the localhost on localport will be forwarded through the SSH tunnel where the remote SSH host will attempt to send the connection to endhost:endport. In this example we want to eventually tunnel a port through to the SOCKS proxy port on the final SSH server. Hence at each stage endhost is always localhost.

Starting With Putty

Imagine you have a Windows PC. You want to set up a SOCKS proxy port on port 1234 on your PC (and set your Firefox SOCKS proxy to point at 127.0.0.1:1234) but have this tunnelled through two other Linux computer before your packets enter the Internet.

 +-----------+             +---------+
 | localhost |             | server1 |
 |>1234      |-----> 11000 |>11000   |
 +-----------+             +---------+
                             |
                             V
                           SOCKS
                           +---------+
                           |>SOCKS   |
            INTERNET <---- |server2  |
                           +---------+

Set up your Putty connection to server 1 but configure your tunnel to that server from localhost port 1234 to port 11000 on server 1 as follows:

Set Up A Local Tunnel From Your Local SOCKS Proxy Port To Port On First Linux Server

Set Up A Local Tunnel From Your Local SOCKS Proxy Port To Port On First Linux Server

When you press the Add button your configuration screen will look like the following:

Putty Tunnelling Screen After Adding Local Tunnel Rule

Putty Tunnelling Screen After Adding Local Tunnel Rule

Save your connection settings (as you would usually). Then when you open up your session type the following into your Linux server:

ssh -D11000 me@server2

This will establish a connection to server 2 (the server you want your packets to be exposed to the Internet). This command will cause server 1 to listen on port 11000 (which is the port packets from port 1234 on your local computer spill out to) and forward these packets to server 2 which will distribute them out onto the Internet.

In truth server 2 is the SOCKS proxy. You’ve just made a long tunnel from your local host to server 2 to reach the SOCKS proxy.

One response to “Setting Up A Socks Proxy Tunnelling Through Multiple SSH Servers

  1. Dave February 7, 2013 at 3:01 am

    This is the most awesomest thing ever. Combine it with a little program called Proxifier, and nobody can snoop on your internet activities ever!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: