Often I tunnel my web traffic through a SSH connection to a remote machine to have my HTTP and HTTPs connections originate from it. I do this for many reasons, the most common being that
I don't trust the network I'm on so I don't want to send my unencrypted HTTP traffic through it or thatthere is a firewall that prevents me from getting from my laptop to a given server. For example, I can only get to most of the internal Google web servers from an IP address inside Google's network.This post explains how I do it. Basically, I establish an SSH connection with certain parameters that allow me to tunnel traffic through it and then configure Firefox to use the tunnel and to never do DNS lookups by itself.
Establish the SSH connectionRandomly select a port that is currently unused in your client machine. In this article we will refer to it as $PORT. If you don't know which port to pick, pick a random number between 10.000 and 20.000, chances are it won't be in use in your client machine.
Establish your SSH connection to your server as you usually would, but pass a -fND $PORT option. For example:
ssh -fND localhost:$PORT azul@freaks-unidos.netOnce you log in, the SSH process will go into the background and the tunnel will be established.
If you actually want to use the SSH connection for more than just the tunnel, do not pass the f nor the N options, just -D localhost:$PORT.
Note that although the localhost: part in the SSH command is optional, you should specify it to restrict the tunnel to processes running in your machine. Otherwise other users of your local network who knew about your tunnel would be able to use it.
Establish your SSH connection to your server as you usually would, but pass a -fND $PORT option. For example:
ssh -fND localhost:$PORT azul@freaks-unidos.netOnce you log in, the SSH process will go into the background and the tunnel will be established.
If you actually want to use the SSH connection for more than just the tunnel, do not pass the f nor the N options, just -D localhost:$PORT.
Note that although the localhost: part in the SSH command is optional, you should specify it to restrict the tunnel to processes running in your machine. Otherwise other users of your local network who knew about your tunnel would be able to use it.
Configuring Firefox to use the TunnelOn Firefox click on the menus Edit > Preferences. Pick the Advanced tab and click on Settings next to Configure how Firefox connects to the internet. Select Manual proxy configuration, enter localhost in the SOCKS Host text field and enter the port you used for your tunnel. Close the dialog to apply the settings.
At this point most the traffic from Firefox will go to the port selected, where the SSH process will pick it and send it encrypted to your SSH server, which will in turn establish the actual connections to the web servers. There are two exceptions:
Hosts listed in the No proxy for setting. By default this setting lists localhost and 127.0.0.1. You could add other hosts or IP addresses if you want Firefox to connect to them directly (instead of using the tunnel).Firefox will still do DNS lookups for the hostnames.
At this point most the traffic from Firefox will go to the port selected, where the SSH process will pick it and send it encrypted to your SSH server, which will in turn establish the actual connections to the web servers. There are two exceptions:
Hosts listed in the No proxy for setting. By default this setting lists localhost and 127.0.0.1. You could add other hosts or IP addresses if you want Firefox to connect to them directly (instead of using the tunnel).Firefox will still do DNS lookups for the hostnames.
Configure Firefox to use the Tunnel also for DNSTo prevent Firefox from doing NS lookups enter about:config in the URL text field and double click on the network.proxy.socks_remote_dns to set it to true.
The following are reasons for you to prefer sending DNS traffic through the Tunnel instead of through the local network:
Although other users in your local network won't be able to see your actual web traffic, they can still see the hostnames of the sites you are connecting to.Your web content may have many URLs such as http://www/foo.htm, where your SSH server will be able to correctly resolve the hostname but, for different reasons, your client may not.Voila, at this point Firefox will be sending all its traffic (except, again, for the No proxy for servers) through your SSH tunnel.
The following are reasons for you to prefer sending DNS traffic through the Tunnel instead of through the local network:
Although other users in your local network won't be able to see your actual web traffic, they can still see the hostnames of the sites you are connecting to.Your web content may have many URLs such as http://www/foo.htm, where your SSH server will be able to correctly resolve the hostname but, for different reasons, your client may not.Voila, at this point Firefox will be sending all its traffic (except, again, for the No proxy for servers) through your SSH tunnel.
Verifying that it is workingAt this point your tunnel should be working.
If you still wanted to verify it (rather than trust this wiki from someone you don't know, right?), run Wireshark or Tcpdump in your machine and double check that all network packets from Firefox are being sent encrypted through your SSH connection.
If you still wanted to verify it (rather than trust this wiki from someone you don't know, right?), run Wireshark or Tcpdump in your machine and double check that all network packets from Firefox are being sent encrypted through your SSH connection.
If you find that you're changing your Proxy configuration often, you may want to install the FoxyProxy application, which lets you:
Change which proxy to use based on priorities and regular expressions on the URLs.Change the default proxy from a list of pre-defined proxies with a single click.
原文 http://wiki.freaks-unidos.net/weblogs/azul/firefox-ssh-tunnel
No comments:
Post a Comment