Blog Fiasco

May 29, 2009

SOCKS it to me

Filed under: Linux,mac,The Internet — Tags: , , , — bcotton @ 10:49 pm

(This is the first in a series of “there’s already a thousand other articles about this out there, but I’m writing my own so that I’ll have something to put on my blog” articles).

For security’s sake, some of the services I run in my department aren’t accessible off-campus, or even outside of my department’s subnets.  This is normally a good thing, but it can be a bit of a hassle sometimes.  If I’m at home and I want to check my Exchange e-mail with Entourage, or if I need to access my Samba server, I can always just fire up a VPN connection.  But if I need to play around with CUPS, and I’m not wired in to my department (say, for example, I’m sitting in a meeting and I want to get actual work done instead), then I’m just up a creek.  The VPN is at the University level, and I don’t really feel like letting the whole campus print to my printers.  We spend too much on printing anyway.

This is where SOCKS comes in.  SOCKS is a proxy protocol — instead of traffic going directly from a server to you, it goes through the proxy first.  SOCKS can be used to pass all kinds of traffic, but probably the most common use is to encrypt, hide, or otherwise mangle web traffic.

Some uses of SOCKS are completely honest, like my example above to access restriced resources when I’m away from my office.  Another reason to use SOCKS is if you’re on an untrusted network, like at a coffee house, and you don’t want anyone who is trying to snoop your network traffic to see what web pages you’re viewing.  A less noble case is tunneling your web traffic through somewhere else while you’re at work, thus allowing you to visit sites your boss would not approve of.  I suppose you could also use a SOCKS proxy to visit sites that the law would not approve of, but you’ll still get caught.

So I’ve gone on for over three hundred words so far, and I still haven’t said how you can actually do this.  As it turns out, it is surprisingly simple.  All you need is an SSH server, and SSH client, and a web browser.  The SSH server runs on whatever you want to use as a proxy, in this case my Linux desktop at work.  The SSH client and web browser run on the computer you’re using to surf ye olde intertubes.  (If you’re using Linux or Mac OS X, you’ve probably already got the SSH client and SSH server available, but you might have to get it started.  Windows users will need Cygwin or something similar.  In any case, Google is your friend).

To get started, just make an SSH connection to your proxy host.  Something like

   ssh -ND 8120 bcotton@host.department.employer.edu

will do quite nicely.  The “-ND” option does not mean to root for Notre Dame.  Do not do that under any circumstances.  “N” tells SSH not to run a command, so you won’t get a command line, which in this case is fine.  “D” specifies the local port to use.  I chose 8120, but you can choose pretty much whatever you want between 1025 and 65535.  The important thing is to remember it.  The rest is your username and then the server you want to connect to.

Okay, so now you’ve got the connection set up.  The next thing to do is to tell your browser to use it.  Firefox users, go to Preferences and select the “Advanced” tab.  Next, select the “Network” section.  You’ll see a line that reads “Configure how Firefox connects to the internet.”  Click on the “Settings” button next to that.  Select the “Manual Proxy Configuration.”  In the box labeled “SOCKS Host” enter “localhost” and in the “Port” box next to that, enter the port you chose when you set up your SSH connection.  Click “OK” and then you’re done.

If you did it right, you’re now sending all of your web traffic through the proxy.  Well done!

Powered by WordPress