Gabriele.vivinetto at 13:29, 3 March 2007

2007-03-03T13:29:57Z

New page

Se si è in una Lan dove è consentito uscire in ssh, ma non con altre porte TCP, è possibile creare un proxy SOCKS 5 da usare per "intubare" le altre connessioni.

'''ATTENZIONE''': il proxy socks 5 di SSH non supporta traffico UDP, quindi applicazioni tipo VPN su porte UDP non funzionano ([http://www.employees.org/~satch/ssh/faq/ssh-faq-5.html#ss5.5 5.5. Can I use ssh to securely forward UDP-based services, such as NFS or NIS?]); vedi oltre per un workaround.

Per attivare il proxy collegarsi al proprio host con il comando:

ssh -D 1080 mio.server.dom

A questo punto sarà attivo un proxy SOCKS5 TCP su localhost sulla porta 1080.

Configurare ad esempio in FF come proxy socks 5 localhost sulla porta 1080 e collegarso ad assitenza.rvmgroup.it: l'ip rilevato sarà mio.server.dom.
NATURALMENTE su mio.server.dom deve essere permesso il forwarding del servizio che si intuba.

==Proxy SOCKS in Ubuntu==

Gnome permette di configurare un proxy per il proprio ambiente, provare prima ad impostarlo in

''Sistema / Preferenze / Proxy di rete''

Chiudere e riavviare le applicazioni. Dovrebbero automaticamente usare questa impostazione.

==Socksifizzazione di un'applicazione==

Se l'applicazione che si vuole usare non supporta socks si può installare '''tsocks'''

sudo apt-get install tsocks

La configurazione base può essere:

<pre>
cat | sudo tee /etc/tsocks >/dev/null <<EOFile
server = 127.0.0.1
# Server type defaults to 4 so we need to specify it as 5 for this one
server_type = 5
# The port defaults to 1080 but I've stated it here for clarity
EOFile
</pre>

Ora si può lanciare l'applicazione con

tsocks applicazione

Oppure per tutte i comandi da terminale, attivare tsocks:

<pre>
tsocks on
comandi
...
tsocks off
</pre>

==Performing UDP tunneling through an SSH connection==

Vedi [http://zarb.org/~gc/html/udp-in-ssh-tunneling.html Performing UDP tunneling through an SSH connection]

The Swiss ISP [http://www.bluewin.ch/ Bluewin] sucks. Their DNS are often down. A friend even received advice from Bluewin technicians to not use their own DNS!... But then, it is quite hard to gain access to another DNS for free, if you don't have access to a co hosted machine. In this document, we'll access another machine's network internal DNS services (UDP port 53) with only SSH access to it. We will forward UDP/53 traffic to TCP, then TCP traffic with the port-forwarding mechanism of SSH, then TCP to UDP/53 on the other end. Typically, you can do it with [http://openvpn.net/ openvpn]. But here, we'll do it with simpler tools, only [http://www.openssh.com/ openssh] and [http://m.nu/program/util/netcat/netcat.html nc].

----

===Open a TCP forward port with your SSH connection===

On your local machine (<tt>local</tt>), connect to the distant machine (<tt>server</tt>) by SSH, with the additional <tt>-L</tt> option so that SSH will TCP port-forward:

local# ssh -L 6667:localhost:6667 server.foo.com

This will allow TCP connections on the port number <tt>6667</tt> of your local machine to be forwarded to the port number <tt>6667</tt> on <tt>server.foo.com</tt> through the secure channel.

===Setup the TCP to UDP forward on the server===

On the server, we open a listener on the TCP port 6667 which will forward data to UDP port 53 of a specified IP. If you want to do DNS forwarding like me, you can take the first nameserver's IP you will find in <tt>/etc/resolv.conf</tt>. But first, we need to create a fifo. The fifo is necessary to have two-way communications between the two channels. A simple shell pipe would only communicate left process' standard output to right process' standard input.

server# mkfifo /tmp/fifo
server# nc -l -p 6667 < /tmp/fifo | nc -u 192.168.1.1 53 > /tmp/fifo

This will allow TCP traffic on server's port 6667 to be forwarded to UDP traffic on 192.168.1.1's port 53, and responses to come back.

===Setup the UDP to TCP forward on your machine===

Now, we need to do the opposite of what was done upper on the local machine. You need priviledged access to bind the UDP port 53.

local# mkfifo /tmp/fifo
local# sudo nc -l -u -p 53 < /tmp/fifo | nc localhost 6667 > /tmp/fifo

This will allow UDP traffic on local machine's port 53 to be forwarded to TCP traffic on local machine's port 6667.

===Enjoy your local DNS server :)===

As you've probably guessed it now, when a DNS query will be performed on the local machine, e.g. on local UDP port 53, it will be forwarded to local TCP port 6667, then to server's TCP port 6667, then to server's DNS server, UDP port 53 of 192.168.1.1. To enjoy DNS services on your local machine, put the following line as first nameserver in your <tt>/etc/resolv.conf</tt><nowiki>: </nowiki>

nameserver 127.0.0.1

==Riferimenti==

*[http://muffinresearch.co.uk/archives/2007/01/19/ssh-socks-proxy/ SSH SOCKS Proxy | Muffin Research Labs by Stuart Colville]
*[http://marc.abramowitz.info/archives/2006/01/28/tsocks/ Marc Abramowitz » tsocks]
*[http://marc.abramowitz.info/archives/2006/02/18/evolution-using-a-socks-proxy/ Marc Abramowitz » Evolution: Using a SOCKS proxy]
*[http://en.opensuse.org/OpenSSH#SOCKS OpenSSH - openSUSE]

Creare un proxy SOCKS con ssh - Revision history

Gabriele.vivinetto at 13:29, 3 March 2007