9

is it any easy way to route all traffic through a ssh proxy with -D?

I can configure individual specific applications to do this, but I would like a configuration that routes all the traffic on the machine. Thanks for your help!

grm
  • 415
  • 1
  • 4
  • 9
  • Forgot to say that I was on linux so idealy, something by which I can route using iptables. – grm Feb 23 '10 at 08:13

5 Answers5

10

In Linux:

  1. iptables -t nat -A OUTPUT ! -d 127.0.0.0/8 -j REDIRECT --to 1081
  2. Run program that listens 1081, retrieves actual, non-redirected destination address, negotiates with SOCKS server and relays.

I have written such program for private usage in Perl (prototype quality) and writing a better version in C. It is not yet published.

Update: now published: http://github.com/vi/socksredirect/ Use prototype.pl. Send me some notice if you interested in development of better version.

Update 2 Created a bit better version of it: http://github.com/vi/tcpsocks and a patch for Socat 2: http://github.com/vi/socksredirect/blob/master/socat-2.0.0-b3-REDIRECT.patch

P.S. Most of my (and sometimes some of neighbours') traffic now goes through the tcpsocks->ssh.

Vi.
  • 821
  • 11
  • 19
  • Very interesting project Vi. Thanks! I will give this a look. – grm Mar 15 '10 at 11:19
  • You should probably use more iptables rules to select which traffic do you want to be socksified. I use "iptables -t nat -A OUTPUT -j QQQ", then bunch of "iptables -t nat -A QQQ -j RETURN" and finally "iptables -t nat -A QQQ -p tcp -j REDIRECT --to 1234". – Vi. Mar 15 '10 at 11:53
  • Thank you! I've been wondering if this was doable, it was on my loong list of project ideas to try sometime. – Tobu Nov 19 '10 at 21:39
  • @Tobu, I have implemented this more: now there is a Socat patch (https://github.com/vi/socksredirect/blob/master/socat-2.0.0-b3-REDIRECT.patch) for this and also light-weight tcpsocks program (https://github.com/vi/tcpsocks) – Vi. Nov 20 '10 at 14:40
  • See related: https://github.com/apenwarr/sshuttle – ephemient Nov 20 '10 at 18:27
  • @Vi. Why not create a tun device, rather than using `REDIRECT`? – Tanmay Dec 28 '16 at 20:07
  • 1
    @Tanmay, With a tun device you will see just TCP packets and it would be tricky to decode them into a stream of bytes (you would need something like `slirp`). with REDIRECT or TPROXY just use usual `recv` which gives you decoded data without TCP headers. – Vi. Dec 28 '16 at 21:05
8

Avery Pennarun's sshuttle works similar to Vi's answer, but requires less setup and works on BSD and OS X as well as Linux.

Community
  • 1
ephemient
  • 1,420
  • 1
  • 11
  • 8
2

Maybe you should considering setting up VPN instead.

Espennilsen
  • 454
  • 3
  • 8
  • Wouldn't that require more access on the gateway side? – grm Feb 23 '10 at 08:14
  • I got a VPN server (poptop) setup at home on Ubuntu. And at work I just use the builtin VPN client in windows to connect to it. No bother ing my network administrator or anything. – Espennilsen Feb 23 '10 at 08:53
1

I don't think there's any way to do this, but maybe you can try programs like FreeCap(windows), SocksCap(windows) or proxychains(linux). These programs may help you a little bit.

SteamedFish
  • 64
  • 3
0

Depends which OS you are using. If you are on MacOS there are global Proxy settings which should be used by every Application, even though there are some who don't honor them (Firefox ie).

Sideshowcoder
  • 513
  • 2
  • 8