The general paranoia at conferences is such that there almost always is WiFi, and there almost always is someone wanting to snoop your traffic. I guess, in a similar vein, this could also happen at Starbucks. So, on day 1, at foss.in I tried to recollect what I used to do, ages ago (when I used to run Fedora on my R51, before the disk died, and I realised I lacked a backup of /root).
Firewalls break networks? They also secure networks. I have access to some legacy POP servers, that don’t support SSL/TLS like the IMAP servers I have access to. Firing up Thunderbird, to change the settings, to point to localhost, just seems like a waste of time. So the magic of iptables comes into play.
iptables -t nat -A PREROUTING -p tcp -d my.pop.server --dport 110 -j DNAT --to-destination 127.0.0.1:1235
iptables -t nat -A OUTPUT -p tcp -d my.pop.server --dport 110 -j DNAT --to-destination 127.0.0.1:1235
The above, ensures that to access my.pop.server:110, the traffic is automatically routed now to localhost:1235. Clearly, I don’t run a POP server on my laptop, so this is where SSH port forwarding comes into play.
SSH port forwarding
Provided you have access to a server via SSH, and you trust it, you can tunnel your traffic through it. Its made very easy by the:
So using the above example, that would be -L 1235:my.pop.server:110.
Then, let’s not forget the useful -C option, to compress traffic.
And hey, web surfing isn’t secure either, so lets create a SOCKS5 proxy while we’re at it. ssh supports the -D option, which works a charm. Use it such that you have something like:
And now, configure your web browser, to use a SOCKS proxy, localhost:8188. You can also configure it in GNOME, under the Network Proxy, but it seems like not all applications respect it (for instance, I can get pidgin to segfault, and Liferea will not get RSS updates for some reason, etc.).
So to sum it up, your SSH command should look something like:
ssh -D 8188 -L 1235:my.pop.server:110 -C my.ssh.server
Am I missing something? Do you have an easier iptables rule? Yes, I realise I can also use a VPN. If you have other tips, please don’t hesitate to comment. Thanks.