23/04/2007
socks5 over ssh
Scenario: A client behind a firewall that allows ssh and http outgoing traffic but blocks everything else (eg. the wireless network of cs.uoi.gr). A non-firewalled server running sshd somewhere on planet earth.
How:
a) download/install dante on the server.
b) edit /etc/socks/sockd.conf
internal: 127.0.0.1 port = SOCKS.LISTENING.PORT
external: REAL.SERVER.IP
clientmethod: none
method: none
client pass { from: 127.0.0.0/8 port 1-65535 to: 0.0.0.0/0 }
pass { from: 127.0.0.0/8 to: 0.0.0.0/0 protocol: tcp udp }
user.privileged: SOCKS-USER
user.notprivileged: SOCKS-USER
user.libwrap: SOCKS-USER
c) start dante
d) from the client machine:
ssh USERNAME@REAL.SERVER.IP -L:SOCKS.LISTENING.PORT:127.0.0.1:SOCKS.LISTENING.PORT
more on ssh port forwarding
e) Use socks5 proxy:
host 127.0.0.1
port SOCKS.LISTENING.PORT
with your favorite program.
Notes:
REAL.SERVER.IP = I really hope I don’t need to explain this.
SOCKS.LISTENING.PORT = the port that the socks server will listen. Try a non-priviledged port like 33333.
SOCKS-USER = the username that the socks server will run under (on gentoo this is: sockd). Don’t use root. Just don’t.
Tip: You don’t need to use the same listening port for the socks server and for the local redirection port. It’s just for ease of use.
Results: Internet access though socks5 proxy over an ssh (encrypted!) connection. The socks server is not accessible to the world since it only listens for connections on the local loopback interface of the server.
Filed by kargig at 18:49 under Encryption,Linux
8 Comments | 29,901 views
Thank you sir
After a server reboot I suddenly lost my socks server and had no idea why (apparently an emerge dante-sockd killed my config). This was just what I needed.
A non-firewalled server running sshd somewhere on planet earth …. and other dante server?, thanks
You need to create a tunnel between you and a non-firewalled ssh server that does not filter your traffic.
That means that you must have an account and/or control a server somewhere that does not filter traffic so the tunneled data from you to the world through the ssh tunnel don’t get filtered at the end of the tunnel.
Hey,
what do I have to insert in my Firefox settings?
I used the above ones, but I don’t get any connection with miy FF 🙁
Firefox needs a http proxy server. I don’t know whether it can work with socks. Never tested it. If it doesn’t work just set up a squid server on the machine you run the sshd server and point firefox to use the port of the squid server.
I’m wondering what would be the advantage using Dante to OpenSSH server. The only thing I can think of is more control over the remote server.
You can do the same without installing anything on the server:
ssh -D 1080 USERNAME@REAL.SERVER.IP
then socks5 is listening at your localhost
As people mentioned, if you just want a simple, secure (encrypted), general purpose SOCKS proxy, you can just create an SSH tunnel:
ssh -D 1080 user@yourserver.com
Tunneling Dante over SSH, however, does have its uses.
For instance if you need more control over the proxy (block certain sites, etc.).
Another would be if you require authentication. Think of a shared linux box but you only want to give certain users access to your SOCKS tunnel, whereas “ssd -D 1080” will, and correct me if I’m wrong, give everyone on the system access as long as they can access port 1080.
Finally, it can make it possible to use multiple WAN IP addresses if your server has more than one. Not something you can do with OpenSSH as far as I’m aware.
This is something I needed to do and eventually figured out how. Thought I’d share in case it helps someone who lands here via Google. Tested on 64bit CentOS and Dante 1.4.2. Don’t forget to replace the “_IP_ADDRESS_OF_eth0:X_” parts with your own server’s IPs.
sockd.conf:
logoutput: syslog stdout stderr /var/log/sockd.log
internal: eth0:0 port = 1080
internal: eth0:1 port = 1080
internal: eth0:2 port = 1080
external: eth0:0
external: eth0:1
external: eth0:2
external.rotation: same-same
user.privileged: root
user.unprivileged: sockd
#user.libwrap: sockd
clientmethod: none
socksmethod: none
client pass {
from: _IP_ADDRESS_OF_eth0:0_/32 to: 0.0.0.0/0
log: error # connect disconnect
}
client pass {
from: _IP_ADDRESS_OF_eth0:1_/32 to: 0.0.0.0/0
log: error # connect disconnect
}
client pass {
from: _IP_ADDRESS_OF_eth0:2_/32 to: 0.0.0.0/0
log: error # connect disconnect
}
socks pass {
from: 0.0.0.0/0 to: 0.0.0.0/0
command: bind connect udpassociate
log: error # connect disconnect iooperation
}
socks pass {
from: 0.0.0.0/0 to: 0.0.0.0/0
command: bindreply udpreply
log: error # connect disconnect iooperation
}
Then just create 3 local tunnels, one for each IP:
ssh -L 10801:_IP_ADDRESS_OF_eth0:0_:1080 -L 10802:_IP_ADDRESS_OF_eth0:1_:1080 -L 10803:_IP_ADDRESS_OF_eth0:2_:1080
You now have 3 x SOCKS proxies (ports 10801, 10802 and 10803). If you want to add authentication (user/pass) that’s a bit of extra work. You’d have to google it but I doubt it’s THAT much extra work.