PDA

View Full Version : Selective SSH Tunnel to SOCK Proxy

tonyboy
01-16-2007, 06:12 PM
Hi everyone,

I'm trying to set-up an SSH tunnel that will allow me to view websites and access my mailboxes at work -- services that aren't available outside the network.


It's very simple, really. I set up an SSH tunnel that dynamically forwards all connections via the built-in SOCKS proxy:
ssh -NCD 1080 username@server

I follow that up by configuring setting-up my internet connection to access the SOCKS proxy at localhost:1080.



Now, all of the connections I make to the internal work servers work fine, but access to sites such as google.com don't -- it seems the administrator of the SSH/SOCKS proxy on the remote end has disabled this kind of forwarding.

So I'd like to request that only work-related connections go through the SSH tunnel and everything else is accessed directly. The Proxy Auto-Configuration (PAC) file format is ideal for this!

I've coded-up the rules that determine which connections go through the tunnel and which others are direct, but it seems that these rules are only applied with regards to HTTP! All of the other services I use for work (IMAP/POP, SMTP, etc...) are broken because their connections aren't made through the tunnel!



So in sum, what I'd like to do is keep the SSH tunnel up and running, but only route those connections that are work-related through the tunnel (regardless of what ports they are trying to access) and keep everything else connecting directly, without regards to the tunnel.


Cheers and thanks!
- Anthony
PokerNinja
01-21-2007, 06:03 PM
You have almost everything you need. I'm probably going to say more than
what you need, because I just figured this out myself, and it took a lot longer
to get the last detail than it should have. So, if I put all the info here in one
place, maybe the search engines will pick it up.

1) ssh -D 1080 user@domain.com # Make sure the version of ssh you have
supports both SOCKS v4 and
SOCKS v5. The one I had was just v4,
and it won't work. The best way to
check is "man ssh" and see if it just
mentions SOCKS or
"SOCKS4 and SOCKS5"

2) Proxy Auto-Configuration (pac) File:

This does NOT work:

function FindProxyForURL(url, host) {
if (dnsDomainIs(host, ".wherever.com"))
return SOCKS localhost:1080;
else
return DIRECT;
}

This will work: (note SOCKS5 instead of SOCKS)

function FindProxyForURL(url, host) {
if (dnsDomainIs(host, ".wherever.com"))
return SOCKS5 localhost:1080;
else
return DIRECT;
}

3) Lastly, you need to make sure that the DNS queries for machines on
the remote network get resolved on the remote-side of the ssh tunnel.
Using Firefox, open a new tab or window, and go to URL "about:config"
and change "network.proxy.socks_remote_dns" to "true".

Those were the 3 key pieces of information I wasn't able to find in a single
location, so hopefully this will do it. If the above doesn't work, let me
know because I probably just forgot some little tidbit, as I'm currently
using this very same setup right now.

For what it's worth, I did all the above using the linux Ubuntu distribution
as well as Windows XP. I'm sure it will work for MacOS as well.