How to chain SOCKS proxies?

Preface: What I’m looking for are explicit instructions, in the same format as above. That is, something like run: “…run command X on machine A, then command Y on machine B…”

I have a working socks proxy from my laptop (machine A) to machine B:

[A]$ ssh -ND 8888 B

I can set up Firefox to use SOCKS proxy on A’s local port 8888, and browsing on A works. So far so good.

But I also have a socks proxy between machines B and C:

[B]$ ssh -ND 8157 C

So I can browse on B as if I were on C, setting B’s Firefox socks proxy to 8157.

Is there a way to chain the two proxies so that I’m able to use Firefox locally (on A) while using the connection to C?

That is, somehow forward all Firefox’s socks requests all the way from A to C. A and C cannot see each other directly, but I have full root SSH access everywhere. All machines are Debian.

Note that I don’t want to forward a single port like port 80 but I want a fully chained SOCK proxy.

user124114

Posted 2014-11-05T12:47:16.433

Reputation: 473

shouldn't you just do -L 8888:B:8157 on [A]? – bdecaf – 2014-11-05T12:52:29.180

@bdecaf In addition to the given commands? Instead? No changes to FireFox settings? – user124114 – 2014-11-05T12:54:30.987

Just for [A]. The rest as you describe. – bdecaf – 2014-11-05T16:02:30.500

ssh -L 8888:B:8157 fails, requires a hostname parameter. Can you give a more complete, end-to-end answer? If it works, I'll accept. – user124114 – 2014-11-05T17:24:07.480

is B really the name of your machine? – bdecaf – 2014-11-05T22:08:04.890

Ok i give up, with that information i can't even guess what is required. – bdecaf – 2014-11-07T22:54:44.523

It is unclear whether you mean Transparent Multi-hop SSH, or perhaps Chaining proxies using a tool such as ProxyChains. Let me know if one of these works for you.

– harrymc – 2014-11-21T19:46:17.223

If you decide to answer my above comment, please let us also know which operating-systems are involved in A,B,C. – harrymc – 2014-11-24T09:35:50.153

Answers

Just confirmed this worked with some VMs:

[A]$ ssh -tt -v -L8888:localhost:8157 user@B ssh -t -D 8157 user@C

From A, you open up a port forward tunnel from 8888 locally to 8157 on B -L8888:localhost:8157. Once you've established a connection to B, the remote command ssh -t -D 8157 user@C is run, which provides your SOCKS proxy through C. From what I've read, '-t' seems to be required, though I still have to figure out why.

Note, this is one command on the first host which invokes ssh twice, from A->B and from B->C. You could also break this into separate commands, as described below.

Bonus: for chaining three proxies...

Ie A->B->C->D->Internet

[hostA]$ ssh -2 -C -D 55557 -L 55556:127.0.0.1:55556 -L 55555:127.0.0.1:55555 user@B
[hostB]$ ssh -2 -C -D 55556 -L 55555:127.0.0.1:55555 user@C
[hostC]$ ssh -2 -C -D 55555 user@D

Note that for each hop, you need an additional matching forwarder -L on the previous hosts in the chain.

References:

ssh tunnel via multiple hops
This posting shows how to chain an arbitrary number of proxies: http://sophiedogg.com/ssh-proxy-through-multiple-servers/
The template for this solution: http://sysextra.blogspot.com/2013/10/multi-hop-ssh-socks-proxy.html
How can I use SSH with a SOCKS 5 proxy?
http://www.jethrocarr.com/2013/03/13/ssh-via-socks-proxies/

glallen

Posted 2014-11-05T12:47:16.433

Reputation: 1 886

Translation, line by line: --

Make a Dynamic port forward from host B on 57, Expose port 56 from B, expose port 55 from B. --
Make a Dynamic port forward on port 56 from host C, Expose port 55 From C --
Make a Dynamic port forward on port 55 from host D --

The end result is a Socks proxy from Every host, through SSH at each step. Ports 57 through 55 will contain proxies with end points at B, C and D. – Ray Foss – 2017-01-06T20:14:40.877

Do you have any free ssh proxy's ? I haven't found any. – aemonge – 2018-03-13T16:45:55.520

glallen's excellent answer utilizing SSH will get the job done. However, the proper way to accomplish this is to use the proxychains program. ProxyChains is a powerful tool that allows you to easily leverage multiple proxy servers at the same time. For example, it's used by hackers use to hide their identify while performing internet attacks - by chaining a bunch of proxies around the world together, it becomes virtually impossible any forensic investigators to trace the traffic all the way back to them. Not to say that you are a malicious hacker - it will work for many different use-cases. ;)

ProxyChains is installed by default on some Linux distributions (like Kali Linux). On Ubuntu/Debian, for example, you can easily install it by doing a:

sudo apt-get install proxychains

Proxychains looks for a configuration file at /etc/proxychains.conf. Once you have it installed, backup the existing Proxychains configuration file (if it exists) and create a new one:

mv /etc/proxychains.conf /etc/proxychains-backup.conf
nano /etc/proxychains.conf

Now, paste in this example configuration that I've written for you:

strict_chain

proxy_dns

tcp_read_time_out 15000
tcp_connect_time_out 8000

[ProxyList]
socks4          192.168.1.1     8888
socks4          192.168.1.2     8157
socks4          192.168.1.3     6969

In this example, 192.168.1.1 is the IP address of the first SOCKS proxy server, 8888 is the port that the first SOCKS proxy is listening on, 192.168.1.2 is the IP address of the second SOCKS proxy server, 8157 is the port that the second SOCKS proxy is listening on, and so forth.

Now, leverage proxychains by doing proxychains firefox from the command line to launch Firefox. (Make sure that Firefox is closed first.) Now, whenever Firefox makes an outgoing connection, the proxychains program will encapsulate the traffic such that it will be proxied through all of the servers that you specified in this configuration file. To be clear, in your Firefox preferences, you should not be specifying ANY proxy servers - proxychains will take care of everything behind the scenes.

Note that, for troubleshooting purposes, you should probably try to get it working using 1 proxy at a time first before trying all 3. ;)

References:

The official proxychains website (the latest version is 3.1, released in 2006): http://proxychains.sourceforge.net
The website for proxychains-ng (a fork of the original proxychains that is actually still maintained as of 2015): https://github.com/rofl0r/proxychains-ng

James

Posted 2014-11-05T12:47:16.433

Reputation: 281

Does proxy chains set up the proxies for you also? or just help you connect to the existing proxies? – glallen – 2015-04-08T21:03:22.463

Proxychains will only connect to existing proxy servers. – James – 2015-04-08T21:24:44.973

If that's the case, then I disagree with the phrase "the proper way to..." as the question is specifically talking about setting up the proxies for chaining on multiple machines, not just directing firefox to existing proxies. Maybe - "an alternate method, once the proxies are in place" would be informative, without implying that using straight ssh is somehow improper. Good additional background info however. Thanks. Edit and you'll have my upvote. – glallen – 2015-04-08T21:58:12.337