{"id":678,"date":"2007-12-06T23:43:22","date_gmt":"2007-12-07T04:43:22","guid":{"rendered":"http:\/\/www.bytebot.net\/blog\/archives\/2007\/12\/06\/secure-travelling-tips-with-iptables-and-ssh-port-forwarding"},"modified":"2007-12-06T23:48:27","modified_gmt":"2007-12-07T04:48:27","slug":"secure-travelling-tips-with-iptables-and-ssh-port-forwarding","status":"publish","type":"post","link":"http:\/\/www.bytebot.net\/blog\/archives\/2007\/12\/06\/secure-travelling-tips-with-iptables-and-ssh-port-forwarding","title":{"rendered":"Secure travelling tips with iptables and SSH port forwarding"},"content":{"rendered":"

The general paranoia at conferences is such that there almost always is WiFi, and there almost always is someone wanting to snoop your traffic. I guess, in a similar vein, this could also happen at Starbucks. So, on day 1, at foss.in I tried to recollect what I used to do, ages ago (when I used to run Fedora on my R51, before the disk died, and I realised I lacked a backup of \/root).<\/p>\n

iptables<\/strong>
\nFirewalls break networks? They also secure networks. I have access to some legacy POP servers, that don’t support SSL\/TLS like the IMAP servers I have access to. Firing up Thunderbird, to change the settings, to point to localhost, just seems like a waste of time. So the magic of iptables comes into play.
\n
\niptables -t nat -A PREROUTING -p tcp -d my.pop.server --dport 110 -j DNAT --to-destination 127.0.0.1:1235
\niptables -t nat -A OUTPUT -p tcp -d my.pop.server --dport 110 -j DNAT --to-destination 127.0.0.1:1235
\n<\/tt>
\nThe above, ensures that to access my.pop.server:110, the traffic is automatically routed now to localhost:1235. Clearly, I don’t run a POP server on my laptop, so this is where SSH port forwarding comes into play.<\/p>\n

SSH port forwarding<\/strong>
\nProvided you have access to a server via SSH, and you trust it, you can tunnel your traffic through it. Its made very easy by the:
\n-L localport:my.pop.server:foreignport<\/p>\n

So using the above example, that would be -L 1235:my.pop.server:110.<\/p>\n

Then, let’s not forget the useful -C option, to compress traffic.<\/p>\n

And hey, web surfing isn’t secure either, so lets create a SOCKS5 proxy while we’re at it. ssh supports the -D option, which works a charm. Use it such that you have something like:
\n-D 8188<\/p>\n

And now, configure your web browser, to use a SOCKS proxy, localhost:8188. You can also configure it in GNOME, under the Network Proxy, but it seems like not all applications respect it (for instance, I can get pidgin to segfault, and Liferea will not get RSS updates for some reason, etc.).<\/p>\n

So to sum it up, your SSH command should look something like:
\nssh -D 8188 -L 1235:my.pop.server:110 -C my.ssh.server<\/p>\n

Discuss<\/strong>
\nAm I missing something? Do you have an easier iptables rule? Yes, I realise I can also use a VPN. If you have other tips, please don’t hesitate to comment. Thanks.<\/p>\n

Technorati Tags: ssh<\/a>, iptables<\/a>, travel<\/a>, tips<\/a>, wifi<\/a>, open access points<\/a>, socks5<\/a><\/p>\n

Share this:<\/h3>