2

I have SSH access to a jump box on my work. This jump box gives access to the complete network infrastructure at work. This is great to work from home.

I am able to run a SOCKS5 proxy on the jump box (via ssh -D) and successfully managed to configure my browser to use that SOCKS5 proxy for work hosts (via https://getfoxyproxy.org). Foxyproxy seems to forward DNS requests to that SOCKS5 proxy, so all is working fine.

While this all works fine, I am wondering if it is possible to let my system use the SOCKS5 for work-related traffic in a more transparent manner. It's quite exhausting to figure out for each application I use if it supports SOCKS5 and if so, how.

More concrete, is there a way to configure my system in such way that it will automatically route traffic via the SOCKS5 for predefined hosts?

I know there are tools such as proxychains (see https://github.com/haad/proxychains), but this is not what I am after. This routes all traffic of an application to the proxy, while I want to route all traffic to a host to the proxy, if that makes sense.

Is this possible?

For your information, I asked a related question regarding DNS requests here: Forward DNS request to my work's jump server. Combining this question with the DNS question, I hopefully end up with a fully transparent way of interacting with work.

Pritzl
  • 305

4 Answers4

2

It is technically possible, though note that SOCKS only supports TCP tunnels (and in rare cases UDP). Anything else would have to be dropped.

If you use Linux, you can use iptables to redirect specific packets to a locally running transparent proxy, of which there are several SOCKS-capable ones – Google gives transocks, redsocks, pr0cks.

(The Tor-based "Tails" OS does the same trick, but the transparent proxying functionality is now built in to the Tor daemon itself – there is no separate SOCKS layer involved.)

For operating systems which do not have such "transparent proxy" support, it would still be possible but the software could get quite complex – it could create a virtual TUN interface that the packets could be routed to, but it would need to handle the entire client-side TCP protocol on its own, without any help from the OS. (SOCKS doesn't actually relay raw TCP packets, it only relays the data carried inside.)

grawity
  • 501,077
1

Perhaps take a look at socksify. It might work particularly well if your office proxy uses Dante, but should be fine for other set-ups as well.

Michael come lately
  • 1,185
1

I am using transocks. My IP tables configuration looks like this:

#!/usr/bin/bash

Transocks: https://github.com/cybozu-go/transocks


set -e
stty -echoctl


Point to the transparent socket port (running in an exclusive user)


TRANSOCKS_PORT=12345
TRANSOCKS_USER=transocks


Redirect all the network of your computer (except transocks user)


REDIRECT_LOCAL_NETWORK=1


Redirect access point (wifi hotspot)


AP_SUBNET_ENABLED=1
AP_SUBNET_IFACE=ap0
AP_SUBNET_RANGE="192.168.12.0/24"


function action_up()
{
    echo "-----------------------------"
    echo "# Adding iptables chain rules"
    echo "-----------------------------"
    iptables -v -t nat -N TRANSOCKS
    iptables -v -t nat -A TRANSOCKS -d 0.0.0.0/8 -j RETURN
    iptables -v -t nat -A TRANSOCKS -d 10.0.0.0/8 -j RETURN
    iptables -v -t nat -A TRANSOCKS -d 100.64.0.0/10 -j RETURN
    iptables -v -t nat -A TRANSOCKS -d 127.0.0.0/8 -j RETURN
    iptables -v -t nat -A TRANSOCKS -d 169.254.0.0/16 -j RETURN
    iptables -v -t nat -A TRANSOCKS -d 172.16.0.0/12 -j RETURN
    iptables -v -t nat -A TRANSOCKS -d 192.168.0.0/16 -j RETURN
    iptables -v -t nat -A TRANSOCKS -d 198.18.0.0/15 -j RETURN
    iptables -v -t nat -A TRANSOCKS -d 224.0.0.0/4 -j RETURN
    iptables -v -t nat -A TRANSOCKS -d 240.0.0.0/4 -j RETURN
    iptables -v -t nat -A TRANSOCKS -p tcp -j REDIRECT --to-ports $TRANSOCKS_PORT


if [ "$REDIRECT_LOCAL_NETWORK" = 1 ]; then
    echo "--------------------------------"
    echo "# Redirecting non-transocks user"
    echo "--------------------------------"
    iptables -v -t nat -A OUTPUT -p tcp -m owner ! --uid-owner $TRANSOCKS_USER -j TRANSOCKS
fi

if [ "$AP_SUBNET_ENABLED" = 1 ]; then
    echo "-----------------------"
    echo "# Redirecting AP subnet"
    echo "-----------------------"
    iptables -v -t nat -I PREROUTING -i $AP_SUBNET_IFACE -s $AP_SUBNET_RANGE -j TRANSOCKS
    iptables -v -I INPUT -i $AP_SUBNET_IFACE -s $AP_SUBNET_RANGE -p tcp -m tcp --dport $TRANSOCKS_PORT -j ACCEPT
fi



}


function action_down()
{
    if [ "$REDIRECT_LOCAL_NETWORK" = 1 ]; then
        echo "------------------------------"
        echo "# Cleaning non-transocks rules"
        echo "------------------------------"
        iptables -v -t nat -D OUTPUT -p tcp -m owner ! --uid-owner $TRANSOCKS_USER -j TRANSOCKS
    fi


if [ "$AP_SUBNET_ENABLED" = 1 ]; then
    echo "--------------------------"
    echo "# Cleaning AP subnet rules"
    echo "--------------------------"
    iptables -v -t nat -D PREROUTING -i $AP_SUBNET_IFACE -s $AP_SUBNET_RANGE -j TRANSOCKS
    iptables -v -D INPUT -i $AP_SUBNET_IFACE -s $AP_SUBNET_RANGE -p tcp -m tcp --dport $TRANSOCKS_PORT -j ACCEPT
fi

echo "-----------------------------"
echo "# Cleaning and removing chain"
echo "-----------------------------"
iptables -v -F TRANSOCKS -t nat
iptables -v -X TRANSOCKS -t nat



}


trap 'action_down' SIGINT


action_up


echo
echo "Hit Ctrl+C to remove the ip table rules"
echo


while :
do
    sleep 1
done
Michael come lately
  • 1,185
Anderson Danilo
  • 11
1

You can also look at TS-Warp. Work on Linux, *BSD, mac.

cachius
  • 859
Mikhail Zakharov
  • 43