How to chain SOCKS proxies?

Question

I have a working socks proxy from my laptop (machine A) to machine B:

[A]$ ssh -ND 8888 B

I can set up firefox to use socks proxy on the local port 8888, and browsing works. So far so good.

But I also have a socks proxy between machines B and C:

[B]$ ssh -ND 8157 C

So I can browse on B as if I were on C.

Is there a way to chain the two proxies so that I'm able to use firefox locally (on A) while using the connection to C? That is, somehow forward all firefox's socks requests all the way from A to C. A and C cannot see each other directly, but I have full root ssh access everywhere. All machines are Debian.

Note that I don't want to forward a single port (like 80), I want a full chained socks proxy.

Relevant docs: http://en.wikibooks.org/wiki/OpenSSH/Cookbook/Proxies_and_Jump_Hosts — 0xC0000022L, Apr 14 '15 at 10:11

score 12 · Answer 1 · answered Nov 25 '14 at 22:41

on machine B set up the dynamic proxy to machine C

ssh -ND 8888 user@C

then on machine A

ssh -L 8888:localhost:8888 user@B

This makes the SOCKS connection on Machine B and makes machine B's port 8888 connect-able from localhost port 8888 on machine A.

This may need 3 ssh connections open if you can not directly connect to machine B. If you can connect to machine B you only need 2 and can actually chain the commands if needed.

score 1 · Answer 2 · answered Apr 13 '17 at 09:54

These are the two solutions I use.

Public SOCKS proxy Start SOCKS proxy on a public port on machine B

[machineB]$ ssh -ND <public_ip>:8080 user@machineC

or, do it from machine A (two hops)

[machineA]$ ssh user@machineB ssh -ND <machine_b_public_ip>:8080 user@machineC

Then set your browser proxy to on port 8080

Note: Make sure port 8080 is open on machine B's firewall

Tunnelled Proxy Tunnel a localhost SOCKS proxy from Machine B to Machine A

Separate commands:

[machineB]$ ssh -ND 8080 user@machineC
[machineA]$ ssh -L 8080:localhost:8080 user@machineB

or do it in a single shot:

  [machineA]$ ssh -L 8080:localhost:8080 user@machineB ssh -ND 8080 user@machineC

Now set your browser proxy to localhost on port 8080

score -1 · Answer 3 · answered Nov 24 '14 at 19:31

you could reverse ssh from machine a to machine b then port it to machine c ie machine c

ssh -R 6333:localhost:22 user@machine_b_ip

this will connect machine c to b through encrypted tunnel and listen on port 22 now anything connected to port 6333 on machine b will be sent to machine_c_ip on port 22

now connect from machine a to b

ssh user_oof_machine_c@machine_b -p 6333

now your connected to machine b on port 6333 anything sent from machine c will be forwarded to machine a

you could reverse to process on different ports to run cmds from a to c

i know this aint sock chaining but is a hack for the problem

How to chain SOCKS proxies?

3 Answers3