HowTo: Connect to a firewalled SSH host via a SSH SOCKS proxy

Print Friendly, PDF & Email

On the previous HowTo page ssh as a socks proxy I described a method to access websites protected by IP address restriction via an SSH SOCKS proxy. In this HowTo I’ll describe how you can access SSH servers via the proxy. Yes, that’s tunneling through the tunnel! This can be done in both standard OpenSSH client and Windows with PuTTY.

First of all grab a proxy connect app. The small app called connect has binaries for Windows as well as source for Unixes. The OpenBSD version of netcat has proxy support (Fedora/CentOS/RHEL uses this version).

Next configure a SSH client to define a proxy host and connect via a proxy for everything else. If you are using OpenSSH do the following in ~/.ssh/config

Host proxy
HostName =
DynamicForward = localhost:8080
ProxyCommand none

Host *
ProxyCommand /usr/bin/nc -X 5 localhost:8080 %h %p

(If you are using PuTTY you can configure similar options under the Connection->Proxy configuration window. Set the Proxy type to SOCKS5, the hostname to localhost and change the path to connect to the full path on your system.)

Next create a listening proxy by connecting to the proxy host. You can simply do:

$ ssh proxy

Or add this to your .bashrc or Gnome/KDE startup by way of a script:

nc -z localhost 8080 >/dev/null || ssh -Nf proxy

This checks to see if the local proxy is open and if not creates it. In the previous post about ssh keys I use a ssh-keysetup script in my ~/.bashrc. I’ve added the above command to the bottom of this script. With this in place you won’t need to initiate the proxy on each new session.

Then open the SSH connection as you would normally. You should be able to ssh directly to firewalled hosts that are available from the proxy host.

About this entry