How do I configure my SOCKS Proxy?

1

1

I know how proxy servers work inside and out in theory, but the practice is getting the best of me.

I need to configure a SOCKS proxy within the same network as my management IP so it remains abstracted from users. I have a vCenter cluster that I can deploy any recommended OS on, but to simplify here is the setup:

  • Storage system mgmt IP = 10.244.244.15
  • SUSE11 VM IP = 10.244.244.10
  • Windows XP IP = 10.244.244.5

On the SUSE system, I ran ssh -ND 1080 <user>@<storage mgmt ip>, but that didn't result in end-to-end connectivity.

I was running a tcpdump on the same port at that time and saw some traffic attempted:

17:42:26.669953 IP 10.x.x.x.54214 > x.x.com.socks: S 3287828135:3287828135(0) win 5840 <mss 1460,sackOK,timestamp 6708230 0,nop,wscale 6>
17:42:26.669968 IP x.x.com.socks > 10.x.x.x.54214: R 0:0(0) ack 3287828136 win 0

Overall Qs:

  • Less importantly, what did I do above?
  • More importantly, how can I configure a SOCKS proxy in this environment?

mbb

Posted 2011-08-16T13:21:11.967

Reputation: 2 206

Answers

1

The SSH connection is probably only listening on the loopback interface (127.0.0.1) due to the GatewayPorts setting in the SSHD Config. Your command will work, if GatewayPorts is set to yes.

netstat -an | grep LISTEN

will show you if it's listening on the public interface. You can force it to listen on the public interface with

ssh -ND <ip address>:<port> <user>:<host>

but only if GatewayPorts allows you to do so.

 GatewayPorts
     Specifies whether remote hosts are allowed to connect to ports
     forwarded for the client.  By default, sshd binds remote port
     forwardings to the loopback address.  This prevents other remote
     hosts from connecting to forwarded ports.  GatewayPorts can be
     used to specify that sshd should allow remote port forwardings to
     bind to non-loopback addresses, thus allowing other hosts to con-
     nect.  The argument may be "no" to force remote port forwardings
     to be available to the local host only, "yes" to force remote
     port forwardings to bind to the wildcard address, or
     "clientspecified" to allow the client to select the address to
     which the forwarding is bound.  The default is "no".

My guess is GatewayPorts is set to the default of no. Change it to yes (in /etc/ssh/sshd_config), and then your ssh command should work unchanged, but you can use the ip address of the interface to be specific just in case.

NB: As well as this you should check you don't have an iptables rules blocking inbound connections.

An ssh proxy like will work, but it might be quite slow (encryption overhead). You might want to look at a dedicated socks proxy such as sSocks.

EightBitTony

Posted 2011-08-16T13:21:11.967

Reputation: 3 741

is GatewayPorts a program call from Linux cli or a parameter of the sshd? I can look tmr but atm just thought I'd ask. Great answer nevertheless. And yes, the user is remote to the system, connecting through this system and out into the world. Speed doesn't matter, just connectivity. – mbb – 2011-08-17T02:28:14.600

1@mjb - GatewayPorts is a setting in sshd_config. – EightBitTony – 2011-08-17T06:56:27.587

@8bit - I installed sSocks, tar -xvf, ./config && make ... but no ssock* in my pathway and no files in /etc for it. Help? – mbb – 2011-08-17T13:26:59.363

No idea, never used it, you'll need another question for help with that product. Did the ssh option above not work (changing GatewayPorts in sshd_config?) – EightBitTony – 2011-08-17T13:28:21.490

@8bit - ok... had to run make install. Cheers.. digging in now. – mbb – 2011-08-17T13:30:27.250

I didn't yet try the GatewayPorts edit since I was still confused on how I would configure the SOCKS proxy part... would the ssh -ND command do the trick if I made that edit? – mbb – 2011-08-17T15:50:20.737

Yes, ssh -ND will work if ssh can listen on the public interface, which in turn is decided by the GatewayPorts setting. – EightBitTony – 2011-08-17T18:37:59.263

Asked: 2011-08-16T13:21:11.967

Viewed: 1 897 times

Active: 2011-08-17T18:40:35.690