SOCKS Forwarding With OpenSSH

OpenSSH

[OpenSSH](http://www.openssh.com) includes an overlooked but very useful feature: SOCKS proxy forwarding. From ssh(1) man page:

> *-D port*
>
> Specifies a local “dynamic” application-level port forwarding. This works by allocating a socket to listen to port on the local side, and whenever a connection is made to this port, the connection is forwarded over the secure channel, and the application protocol is then used to determine where to connect to from the remote machine. Currently the SOCKS4 and SOCKS5 protocols are supported, and ssh will act as a SOCKS server. Only root can forward privileged ports. Dynamic port forwardings can also be specified in the configuration file.

If that’s too cryptic for you to comprehend, here is an example scenario:

1. Open an SSH connection to a remote shell account using OpenSSH with -D option, for example: `ssh -D 25000 john@example.org`. The `-D 25000` part tells OpenSSH to provide a SOCKS4/SOCKS5 proxy on port 25000 on localhost.

2. Open a web browser that supports SOCKS4/SOCKS5, like the excellent [Mozilla FireFox](http://www.mozilla.org/products/firefox/). And then configure it to use a SOCKS4/SOCKS5 proxy at localhost port 25000.

3. Browse the web as usual, but this time, any connection will originate from the host you SSH into.

**Note**: You can also use other Internet applications as long as it supports SOCKS4/SOCKS5. For applications that don’t support it, you can use something like [Proxychains](http://proxychains.sourceforge.net/).

How this can be useful:

* Network testing, test your network from remote locations by using software on your workstation instead of resorting to cryptic command line shell account :)
* To bypass firewall restrictions at work, but don’t blame me if you get caught :)
* Poor man’s VPN, no need to install specialized VPN software
* To get around IP address blocking, especially for those who blacklist the entire country. Yes yes, we Indonesians suffer from this very often.
* A better alternative than a passworded remote proxy server, or worse, an open proxy server.
* To pretend that you are traveling around very often :D

For Windows users, it looks like [PuTTY](http://www.chiark.greenend.org.uk/~sgtatham/putty/) also has this feature.

15 comments

  1. huaaaa… ternyata pake PuTTY bisa juga :x
    kirain ga akan bisa :”>
    tapi ngapain juga gua pake ginian, tinggal geser kursi ke kanan doang :-“

  2. Guys,

    Saya orang yg awam di bidang IT dan sekarang ini saya tidak bisa buka yahoo mail di ktr.(sepertinya di blok, meskipun Yahoo Masangger bisa)

    Pertanyaan saya ada gak cara yg bisa buka port yahoo mail , caranya gimana yaa….

    thx sebelumnya

  3. If you are not allowed to make ssh connections (port 22) you can configure your ssh server to accept connections on port 80 and your ISP will allow it :d

    Happy hunting!

Leave a comment

Your email address will not be published. Required fields are marked *