MoonPoint Support Logo




Advanced Search
August
Sun Mon Tue Wed Thu Fri Sat
1 2 3 4 5 6 7
8 9 10 11 12 13 14
15 16 17 18 19 20 21
22 23 24 25 26 27 28
29 30 31        
2010
Months
Jan Feb Mar
Apr May Jun
Jul AugSep
Oct Nov Dec


Tue, Nov 28, 2006 10:08 pm

Creating a Socks Proxy Server with SSH

If you would like to browse the web without revealing your actual IP address to the websites you visit, you can use SSH to set up a SOCKS proxy server.

Many web browsers, e.g. Internet Explorer, Mozilla, etc., can be configured to use a SOCKS proxy server. Other network applications which support the SOCKS protocol can also be configured to route their communications through a SOCKS proxy server.

By tunneling the SOCKS connections through an SSH connection, though, you can encrypt network traffic between the applications using SOCKS on your client system and the SOCKS proxy server so that others on the same network as your client system can not observe the traffic.

To set up a SOCKS server tunnel with SSH, issue the command ssh -ND n user@server where "n" is the port number you wish to use and "user@server" is a userid for your account on "server", which is an SSH server. For instance, ssh -ND 1080 jsmith@abcd.com would establish a SOCKS proxy server on TCP port 1080 on the SSH server abcd.com where you are logging in with the account jsmith. When you issue the command, you will be prompted for the password for the jsmith account. After you enter the password, you won't get a shell prompt from abcd.com, but you should then be able to configure your web browser to use the SOCKS proxy server running on abcd.com on port 1080. Port 1080 is the default port for the SOCKS protocol, but you can use any port (it will have to be a port above 1024, if you are not the root user). For instance ssh -ND 5555 jsmith@abcd.com would work just as well. You simply have to specify the selected port when configuring the applications that will use the SOCKS connection, such as your web browser. When the SOCKS proxy server is set up on abcd.com, only you will be able to use it through your tunneled SSH connection.

Configuring Browsers to Use SSH SOCKS Proxy Server

Internet Explorer 6.0
Firefox 2.0
Mozilla 1.7

If you want to verify that your web browser is now routing its communications through the SOCKS proxy server you can go to a website that will show the IP address websites are seeing for your system. For instance, www.showmyip.com will show your IP address. It should now show the IP address of abcd.com.

When you want to stop routing your browsers communications through the SOCKS proxy server, you can simply revert to the previous browser configuration.

Note: though your browser will now be receiving content from websites you visit through the SOCKS proxy server running on abcd.com and transmitting any input you provide to those websites through the SOCKS proxy server also, your client system, i.e. the system on which you ran the ssh -ND 1080 jsmith@abcd.com will still be looking up IP addresses for the websites you visit through the DNS servers specified on the client system when the SOCKS version 4 protocol is used. E.g., if you run the ssh command from mypc.mycompany.com, if you visit www.xyz.org, any content on the website www.xyz.org will be encrypted between the client system, mypc.mycompany.com and the SOCKS server, abcd.com, so no one else at mycompany.com will be able to observe the traffic using a sniffer. All that any network administrator will know is that you have a connection to abcd.com. However, mypc needs to translate the name www.xyz.org to its IP address. So mypc will need to query a local name server, e.g. mycompany.com name servers, to perform that translation. So someone sniffing traffic from/to mypc would see it perform a lookup of the IP address for www.xyz.org.

I've found this procedure works when the SSH server is running OpenSSH, even OpenSSH for Windows. It also worked when I tried connecting to a Sun Solaris 2.7 system running Sun_SSH_1.1.

References:

  1. SOCKS
    Wikipedia

  2. Tunnel Everything through SSH
    By Julius Plenz
    March 2, 2006

[/network/proxy] permanent link

Thu, Dec 01, 2005 12:04 am

Adding Firewall Rules to a Windows XP Professional System via the Command Line

I needed to test access to a website from another location. I had installed AnalogX's proxy server software, Proxy, on a Windows XP Professional Service Pack 2 system at another location and had also installed OpenSSH for Windows on the same system. But I hadn't configured Windows XP's firewall software on that system to allow me to access the HTTP or Socks proxy services on the system from a remote location. So I could connect to the system via SSH, start the proxy software from the command line interface, but I couldn't access the Socks proxy service, which I had configured to listen on port 56080 nor the HTTP proxy service, which I had configured to listen on port 56588 (see AnalogX Proxy for information on how to configure AnalogX's proxy software to listen on alternative ports).

Fortunately, you can modify the Windows XP firewall configuration from the command line. I entered the following command to add a firewall opening for TCP port 56080 (you will see an "OK" when the command is completed). After "portopening", you specify the protocol, i.e. "TCP", "UDP", or "All" for both, then the port number, then a name of your choosing. Unless you specify otherwise, the port will be opened so that any IP address can access it, i.e. anyone in the world who can access the system can access the port. So you might want to add the "scope" parameter to the command as well. You can issue the command netsh firewall set portopening to see all of the options.

C:\Documents and Settings\Administrator>netsh firewall set portopening TCP 56080 Proxy
Ok.

To specify that only certain IP addresses would be allowed access to the port, which is certainly desireable for any proxy services, you can use a command like the following instead. 


netsh firewall set portopening protocol = TCP port = 56080 name = Proxy mode = ENABLE
          scope = CUSTOM addresses =
	            157.60.0.1,172.16.0.0/16,10.0.0.0/255.0.0.0,LocalSubnet

If the immediately above example was used, then 157.60.0.1 could access the port as could three specific subnets, the last of which is the subnet for any systems on the LAN.

After opening the appropriate firewall rule, I then started the proxy program from the command line.

C:\Documents and Settings\Administrator>"\program files\proxy\proxy"

To verify that the system was actually listening on the port I expected I used the netstat and find commands. 


C:\Documents and Settings\Administrator>netstat -a | find "56080"
  TCP    HomeGarden:56080    HomeGarden:0        LISTENING

To verify the firewall rules have been updated appropriately as well, you can use the netsh firewall show portopening command. 


C:\Documents and Settings\Administrator>netsh firewall show portopening

Port configuration for Domain profile:
Port   Protocol  Mode     Name
-------------------------------------------------------------------
1900   UDP       Enable   SSDP Component of UPnP Framework
2869   TCP       Enable   UPnP Framework over TCP

Port configuration for Standard profile:
Port   Protocol  Mode     Name
-------------------------------------------------------------------
21599  TCP       Enable   SSH
56080  TCP       Enable   Proxy
1900   UDP       Enable   SSDP Component of UPnP Framework
2869   TCP       Enable   UPnP Framework over TCP
3389   TCP       Enable   Remote Desktop

When you want to disable the rule you can use the same command as the one you used to enable the firewall rule, but put "disable" at the end of it.

C:\Documents and Settings\Administrator>netsh firewall set portopening TCP 56080 Proxy disable
Ok.

You can verify the rule is no longer there with the "show portopening" option again. 


C:\Documents and Settings\Administrator>netsh firewall show portopening

Port configuration for Domain profile:
Port   Protocol  Mode     Name
-------------------------------------------------------------------
1900   UDP       Enable   SSDP Component of UPnP Framework
2869   TCP       Enable   UPnP Framework over TCP

Port configuration for Standard profile:
Port   Protocol  Mode     Name
-------------------------------------------------------------------
21599  TCP       Enable   SSH
1900   UDP       Enable   SSDP Component of UPnP Framework
2869   TCP       Enable   UPnP Framework over TCP
3389   TCP       Enable   Remote Desktop

[/network/proxy] permanent link

Sun, Jun 26, 2005 11:35 pm

Configuring AnalogX Proxy

If you need to configure a Windows system as a proxy server, you can use AnalogX Proxy, which is available for free.

AnalogX Proxy provides the following proxy services using the ports listed below: 

    HTTP    (web browsers)                  (port 6588)
    HTTPS   (secure web browsers)           (port 6588)
    SOCKS4  (TCP proxying)                  (port 1080)
    SOCKS4a (TCP proxying w/ DNS lookups)   (port 1080)
    SOCKS5  (only partial support, no UDP)  (port 1080)
    NNTP    (usenet newsgroups)             (port 119)
    POP3    (receiving email)               (port 110)
    SMTP    (sending email)                 (port 25)
    FTP     (file transfers)                (port 21)

It is possible to change the ports used by AnalogX Proxy for the various proxy services it supports.

[ More Info ]

[/network/proxy] permanent link

Blosxom logo