subverting the man

Do you ever find yourself behind a restrictive firewall that won’t let you check your email with a program like Thunderbird, or behind a filtering web proxy that classifies innocent websites as subversive porn-laden drivel and won’t let you get there? Perhaps the network you’re on won’t allow your favorite instant messenging program out. Maybe you’re on a public wireless network where everything works, but you are worried about people eavesdropping on your private business. This might happen at work, a dorm room, a hospital, or a computer lab.

Enter the subversive power of SSH, if you have access to a *NIX server on an unrestricted and/or unmonitored network. The geniuses behind SSH have made it possible to tunnel TCP traffic through the encrypted session with no extra software required. A note up front – I would not suggest that you use this to visit any content that would otherwise get you fired or ejected from the premises, like porn or sites about how to make bombs, especially if you do not personally own the PC you are using.

There are several approaches to doing this, all of which revolve around forwarding certain TCP ports on your machine to other ports on or beyond the SSH server. One is to forward certain ports to specific destinations, like your local IMAP port to your mailserver’s IP address and IMAP port. Another, which is among the most thorough options available, is to set up a squid proxy on your ssh server and forward local port 3128 to local port 3128 on the other side, then set up specific programs to use port 3128 as an HTTP proxy. I don’t plan to document that option, but if you’re reasonably network-savvy, you can figure it out from that description. This is the option you want to use if you are worried about the local network operator knowing what DNS names you look up.

There is one other option which requires the least total effort and no special software on the server side – turn your ssh client into a SOCKS proxy. To do this, you just set up dynamic port forwarding of local port 1080, and don’t give it a destination. The ssh client and the ssh server work together, and no other software is required on either end. As already mentioned, don’t use this method if you need to keep your DNS queries private.

Here’s how to use the SOCKS proxy method in PuTTY:


Be sure to click the Add button before you try to connect. Once you’re connected, you’ll want to go into the settings for whatever Internet program you’re using and tell it that you’ve got a v5 SOCKS proxy on address, with 1080 as the port number. Some programs don’t give you a way to specify different versions of the SOCKS protocol or the port number.

2 responses to “subverting the man”

  1. The only time I can recall having to deal with this was at the previous corporate overlord and the county library.

  2. This has been a very useful tool and I can promise you that it will get more and more use as time goes on. What we need to do is setup about 4 or 5 *nix clients out there that we can bounce through as a tool for “Authorized people”…. ROFLMAO.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.