![]() Iptables -t nat -A OUTPUT -p tcp -j REDIRECT -to-ports LOCAL_PORT Iptables -t nat -A OUTPUT -o lo -j ACCEPT Iptables -t nat -A OUTPUT -p tcp -d REMOTE_SERVER_IP -dport REMOTE_PORT -j ACCEPT ![]() Iptables -t nat -A PREROUTING -p tcp -j REDIRECT -to-ports LOCAL_PORT Iptables -t nat -A PREROUTING -p tcp -d LOCAL_IP_ADDRESS_CLASS -j ACCEPT The following settings should be made on local device.ġ.Enable IPv4 forwarding in /etc/nf: _forward=1Ģ.Redirect all TCP connections to socks proxy: In order to make the SSL Socks Proxy Transparent, we need to setup our local device as the router and gateway of our local network and intercept all TCP connections. Part II: Making the SSL Socks Proxy Transparent The notes which I mentioned in previous section also apply to this section.ĥ.Create /etc/stunnel/secrets.txt on remote server identical to secrets file on local device.Ħ.Run both stunnel instances on local device and remote server. Pick your username and password accordingly.Ĥ.Create stunnel config on remote server /etc/stunnel/nf: “foreground = no” makes stunnel to run in daemon mode.ģ.Create local PreShareKey secret file /etc/stunnel/secrets.txt: USERNAME:PASSWORD_MORE_THAN_20_CHARS Note II: If you need to see the log messages for debug purposes, you can set “foreground = yes” temporarily. If you have an openssl package with zlib support you can uncomment “compression = zlib” line. Note I: I noticed raspbian prebuilt openssl package doesn’t support zlib compression, so in my case I had to recompile openssl with zlib support. REMOTE_PORT: The port which remote server will accept connections on. LOCAL_PORT: The local port which stunnel will listen on. although you can use a PC or a virtual machine to achieve the same.ĭebian is my favorite Linux distro, so my guide will be based on Debian.ġ.Install stunnel on both local and remote devices:ĭownload and install the latest version of stunnel from stunnel website: Ģ.Create stunnel config on local device /etc/stunnel/nf: it is a cheap device and has a very low power usage and can be running 24/7, so it is very suitable to act as a full featured Linux based router. In my own setup, I am using a raspberry pi 2 for my local device. This can be achieved easily using a powerful Linux application called Stunnel. Theoretically what we are going to achieve is to intercept all TCP connections on our local network transparently, encrypt them and then tunnel them to our remote server. In order to make this setup, you need two Linux based boxes, one in your local network and one which will act as server in a remote location. Just do whatever is needed to establish your tunnel and pass the socket to nnect(.A Transparent SSL Socks proxy can be useful to encrypt and secure all TCP connections and/or infiltrate Internet censorship systems. Here are some other resources on how to tunnel through proxies. If "\r\n\r\n" in chunk: # we do not want to read too far ) # in worst case this loop will take 2 seconds if not response was received (sock.timeout) ![]() ttimeout(2) # quick hack - replace this with something better performing. Sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)Ĭmd_connect = "CONNECT %s:%d HTTP/1.1\r\n\r\n"%target Logging.basicConfig(loglevel=logging.DEBUG)ĭef http_proxy_tunnel_connect(proxy, target,timeout=None): If there's SSL-Interception involved you could still try to tunnel it via ssl or as part of HTTP payload :) import paramiko If there's no DPI/SSL-Interception features involved, you should be fine. If this ultimately allows you to bypass your firewall depends on what kind of firewall is employed. Usually this is restricted to port 443 (hint: if you make your sshd listen on 443 this will work with most of the public proxies even thought I do not recommend to do this for interop and security reasons). The proxy and the sshd are running on the same host in my example but all you need is any proxy that allows you to CONNECT to your ssh port. This scenario works with a default installation of tinyproxy with Allow and ConnectPort 22 being set in /etc/nf. The result is a TCP tunnel over the established session that is usually used to tunnel SSL but can be used for any tcp based protocol. At first the connection to the proxy is established and the proxy is instructed to connect to localhost:22. You can use any pre-established session to paramiko via the sock parameter in nnect(hostname,username,password.,sock).īelow is a code-snippet that tunnels SSH via HTTP-Proxy-Tunnel (HTTP-CONNECT).
0 Comments
Leave a Reply. |