0%

SSH Reverse SOCKS Tunnel

Useful SSH options

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
-D [bind_address:]port
Specifies a local “dynamic” application-level port forwarding. This works by allocating a socket to listen to port on the local
side, optionally bound to the specified bind_address. Whenever a connection is made to this port, the connection is forwarded over
the secure channel, and the application protocol is then used to determine where to connect to from the remote machine. Currently
the SOCKS4 and SOCKS5 protocols are supported, and ssh will act as a SOCKS server. Only root can forward privileged ports. Dy‐
namic port forwardings can also be specified in the configuration file.

IPv6 addresses can be specified by enclosing the address in square brackets. Only the superuser can forward privileged ports. By
default, the local port is bound in accordance with the GatewayPorts setting. However, an explicit bind_address may be used to
bind the connection to a specific address. The bind_address of “localhost” indicates that the listening port be bound for local
use only, while an empty address or ‘*’ indicates that the port should be available from all interfaces.

-L [bind_address:]port:host:hostport
-L [bind_address:]port:remote_socket
-L local_socket:host:hostport
-L local_socket:remote_socket
Specifies that connections to the given TCP port or Unix socket on the local (client) host are to be forwarded to the given host
and port, or Unix socket, on the remote side. This works by allocating a socket to listen to either a TCP port on the local side,
optionally bound to the specified bind_address, or to a Unix socket. Whenever a connection is made to the local port or socket,
the connection is forwarded over the secure channel, and a connection is made to either host port hostport, or the Unix socket
remote_socket, from the remote machine.

Port forwardings can also be specified in the configuration file. Only the superuser can forward privileged ports. IPv6 addresses
can be specified by enclosing the address in square brackets.

By default, the local port is bound in accordance with the GatewayPorts setting. However, an explicit bind_address may be used to
bind the connection to a specific address. The bind_address of “localhost” indicates that the listening port be bound for local
use only, while an empty address or ‘*’ indicates that the port should be available from all interfaces.

-R [bind_address:]port:host:hostport
-R [bind_address:]port:local_socket
-R remote_socket:host:hostport
-R remote_socket:local_socket
-R [bind_address:]port
Specifies that connections to the given TCP port or Unix socket on the remote (server) host are to be forwarded to the local side.

This works by allocating a socket to listen to either a TCP port or to a Unix socket on the remote side. Whenever a connection is
made to this port or Unix socket, the connection is forwarded over the secure channel, and a connection is made from the local ma‐
chine to either an explicit destination specified by host port hostport, or local_socket, or, if no explicit destination was speci‐
fied, ssh will act as a SOCKS 4/5 proxy and forward connections to the destinations requested by the remote SOCKS client.

Port forwardings can also be specified in the configuration file. Privileged ports can be forwarded only when logging in as root
on the remote machine. IPv6 addresses can be specified by enclosing the address in square brackets.

By default, TCP listening sockets on the server will be bound to the loopback interface only. This may be overridden by specifying
a bind_address. An empty bind_address, or the address ‘*’, indicates that the remote socket should listen on all interfaces.
Specifying a remote bind_address will only succeed if the server's GatewayPorts option is enabled (see sshd_config(5)).

If the port argument is ‘0’, the listen port will be dynamically allocated on the server and reported to the client at run time.
When used together with -O forward the allocated port will be printed to the standard output.

SOCKS tunnel for remote server via local PC

  1. Setup a forwarding from remote to local for ssh service with -R option, on the local PC

    1
    ssh -R 1022:localhost:22 ${remoteuser}@${remotehost}
  2. With that forwarding, you can login ssh of local PC via localhost:1022 on the remote server

  3. Setup a SOCKS tunnel from remote to local with -D option, on the remote server

    1
    ssh -D 1080 -p 1022 ${localuser}@localhost
  4. Then you can access network resources with SOCKS proxy socks5://localhost:1080 on the remote server

Proxy utils

Many network applications already have SOCKS support built into them.

For applications without SOCKS support, proxychains can help.

For example, you can curl with SOCKS proxy:

1
proxychains4 -f ~/.proxychains/proxychains.conf curl google.com

And you can proxychains a bash:

1
proxychains4 bash