Linux Socks Proxy
How to setup SOCKS proxy in Linux – Lintel Technologies Blog
A SOCKS server is a general purpose proxy server that establishes a TCP connection to another server on behalf of a client, then routes all the traffic back and forth between the client and the server. It works for any kind of network protocol on any port. SOCKS Version 5 adds additional support for security and UDP.
Use of SOCKS is as a circumvention tool, allowing traffic to bypass Internet filtering to access content otherwise blocked, e. g., by governments, workplaces, schools, and country-specific web services
Using SSH
SOCKS proxies can be created without any special SOCKS proxy software if you have Open SSH installed on your server and an SSH client with dynamic tunnelling support installed on your client computer.
ssh -D 1080 user@
Now, enter your password and make sure to leave the Terminal window open. You have now created a SOCKS proxy at localhost:1080. Only close this window if you wish to disable your local SOCKS proxy.
Using Microsocks program
MicroSocks is a multithreaded, small, efficient SOCKS5 server.
It’s very lightweight, and very light on resources too:
for every client, a thread with a stack size of 8KB is spawned. the main process basically doesn’t consume any resources at all.
the only limits are the amount of file descriptors and the RAM.
It’s also designed to be robust: it handles resource exhaustion gracefully by simply denying new connections, instead of calling abort() as most other programs do these days.
another plus is ease-of-use: no config file necessary, everything can be done from the command line and doesn’t even need any parameters for quick setup.
Installing microsocks
“`git clone `
“`cd microsocks“`
“`make“`
Starting socks service
microsocks -1 -i listenip -p port -u user -P password -b bindaddr
all arguments are optional. by default listenip is 0. 0. 0 and port 1080.
option -1 activates auth_once mode: once a specific ip address authed successfully with user/pass, it is added to a whitelist and may use the proxy without auth. this is handy for programs like firefox that don’t support user/pass auth. for it to work you’d basically make one connection with another program that supports it, and then you can use firefox too.
Turn any Linux computer into a SOCKS5 proxy with one …
Last updated
2 weeks ago
I thought I’d write a shorter article this time. It goes hand in hand with my upcoming article series on 100% technical guide to anonymity and it’s much easier to write larger articles by splitting them into smaller pieces. I can then just edit them together and produce the final article.
This article will be interesting to everyone who didn’t know this awesome fact already – you can turn any Linux computer into a SOCKS5 (and SOCKS4) proxy with just one ssh command command and no extra tools.
ssh -N -D 0. 0. 0:1080 localhost
Even better – it doesn’t require root privileges. The ssh command starts up dynamic -D port forwarding on port 1080 and talks to the clients via SOCSK5 or SOCKS4 protocols, just like a regular SOCKS5 proxy would. The -N option makes sure ssh stays idle and doesn’t execute any commands on localhost.
If you also want the command to go into background as a daemon, then add the -f option:
ssh -f -N -D 0. 0:1080 localhost
To use it, just make your software use SOCKS5 proxy on your Linux computer’s IP, port 1080, and you’re done – all your requests will now get proxied.
Access control can be implemented via iptables. For example, to allow only people from the ip 1. 2. 3. 4 to use SOCKS5 proxy, add the following iptables rules:
iptables -A INPUT –src 1. 4 -p tcp –dport 1080 -j ACCEPT
iptables -A INPUT -p tcp –dport 1080 -j REJECT
The first rule says, allow anyone from 1. 4 to connect to port 1080, and the other rule says, deny everyone else from connecting to port 1080.
However, executing iptables requires root privileges. If you don’t have root privileges, and you don’t want to leave your proxy open (and you really don’t want to do that), you’ll have to use some kind of a simple TCP proxy wrapper to do access control.
Here, I just wrote one in Perl. It’s called and it uses IO::Socket::INET to abstract sockets, and IO::Select to do connection multiplexing.
#! /usr/bin/perl
#
use warnings;
use strict;
use IO::Socket::INET;
use IO::Select;
my @allowed_ips = (‘1. 4’, ‘5. 6. 7. 8’, ‘127. 1’, ‘192. 168. 1. 2’);
my $ioset = IO::Select->new;
my%socket_map;
my $debug = 1;
sub new_conn {
my ($host, $port) = @_;
return IO::Socket::INET->new(
PeerAddr => $host,
PeerPort => $port) || die “Unable to connect to $host:$port: $! “;}
sub new_server {
my $server = IO::Socket::INET->new(
LocalAddr => $host,
LocalPort => $port,
ReuseAddr => 1,
Listen => 100) || die “Unable to listen on $host:$port: $! “;}
sub new_connection {
my $server = shift;
my $client = $server->accept;
my $client_ip = client_ip($client);
unless (client_allowed($client)) {
print “Connection from $client_ip denied. \n” if $debug;
$client->close;
return;}
print “Connection from $client_ip accepted. \n” if $debug;
my $remote = new_conn(‘localhost’, 55555);
$ioset->add($client);
$ioset->add($remote);
$socket_map{$client} = $remote;
$socket_map{$remote} = $client;}
sub close_connection {
my $client = shift;
my $remote = $socket_map{$client};
$ioset->remove($client);
$ioset->remove($remote);
delete $socket_map{$client};
delete $socket_map{$remote};
$remote->close;
print “Connection from $client_ip closed. \n” if $debug;}
sub client_ip {
return inet_ntoa($client->sockaddr);}
sub client_allowed {
return grep { $_ eq $client_ip} @allowed_ips;}
print “Starting a server on 0. 0:1080\n”;
my $server = new_server(‘0. 0’, 1080);
$ioset->add($server);
while (1) {
for my $socket ($ioset->can_read) {
if ($socket == $server) {
new_connection($server);}
else {
next unless exists $socket_map{$socket};
my $remote = $socket_map{$socket};
my $buffer;
my $read = $socket->sysread($buffer, 4096);
if ($read) {
$remote->syswrite($buffer);}
close_connection($socket);}}}}
To use it, you’ll have to make a change to the previous configuration. Instead of running ssh SOCKS5 proxy on 0. 0:1080, you’ll need to run it on localhost:55555.
ssh -f -N -D 55555 localhost
After that, run the
perl
TCP proxy will start listening on 0. 0:1080 and will redirect only the allowed IPs in @allowed_ips list to localhost:55555.
Another possibility is to use another computer instead of your own as an exit node. What I mean is you can do the following.
ssh -f -N -D 1080
This will set up a SOCKS5 proxy on localhost:1080 but when you use it, ssh will automatically tunnel your requests (encrypted) via This way you can hide what you’re doing on the Internet from anyone who might be sniffing your link. They will see that you’re communicating with but the traffic will be encrypted so they won’t be able to tell what you’re doing.
That’s it. You’re now the proxy king!
Download
Download link:
I also pushed to GitHub. You can fork it and contribute. For example, you could make it redirect between any number of hosts:ports, not just two, implement onion routing, and better access control.
I’ll also soon write the definitive guide to ssh port forwarding because it’s an interesting but little understood topic.
See you next time!
Thanks for reading my post. If you enjoyed it and would like to receive my posts automatically, you can subscribe to new posts via rss feed or email.
Create a SOCKS proxy on a Linux server with SSH to bypass …
Mattias Geniar, January 19, 2017
Follow me on Twitter as @mattiasgeniar
Are you on a network with limited access? Is someone filtering your internet traffic, limiting your abilities? Well, if you have SSH access to _any _server, you can probably set up your own SOCKS5 proxy and tunnel all your traffic over SSH.
From that point on, what you do on your laptop/computer is sent encrypted to the SOCKS5 proxy (your SSH server) and that server sends the traffic to the outside.
It’s an SSH tunnel on steroids through which you can easily pass HTTP and HTTPs traffic.
And it isn’t even that hard. This guide is for Linux/Mac OSX users that have direct access to a terminal, but the same logic applies to PuTTy on Windows too.
You set up a SOCKS 5 tunnel in 2 essential steps. The first one is to build an SSH tunnel to a remote server.
Once that’s set up, you can configure your browser to connect to the local TCP port that the SSH client has exposed, which will then transport the data through the remote SSH server.
It boils down to a few key actions;
You open an SSH connection to a remote server. As you open that connection, your SSH client will also open a local TCP port, available only to your computer. In this example, I’ll use local TCP port:1337.
You configure your browser (Chrome/Firefox/…) to use that local proxy instead of directly going out on the internet.
The remote SSH server accepts your SSH connection and will act as the outgoing proxy_/vpn_ for that SOCKS5 connection.
To start such a connection, run the following command in your terminal.
$ ssh -D 1337 -q -C -N
What that command does is;
-D 1337: open a SOCKS proxy on local port:1337. If that port is taken, try a different port number. If you want to open multiple SOCKS proxies to multiple endpoints, choose a different port for each one.
-C: compress data in the tunnel, save bandwidth
-q: quiet mode, don’t output anything locally
-N: do not execute remote commands, useful for just forwarding ports
the remote SSH server you have access to
Once you run that, ssh will stay in the foreground until you CTRL+C it to cancel it. If you prefer to keep it running in the background, add -f to fork it to a background command:
$ ssh -D 1337 -q -C -N -f
Now you have an SSH tunnel between your computer and the remote host, in this example
Next up: tell your browser to use that proxy. This is something that should be done per application as it isn’t a system-wide proxy.
In Chrome, go to the chromesettings/ screen and click through to Advanced Settings. Find the Proxy Settings.
In Firefox, go to Preferences > Advanced > Network and find the Connection settings. Change them as such:
From now on, your browser will connect to localhost:1337, which is picked up by the SSH tunnel to the remote server, which then connects to your HTTP or HTTPs sites.
This has some advantages and some caveats. For instance, most of your traffic is now encrypted.
What you send between the browser and the local SOCKS proxy is encrypted if you visit an HTTPs site, it’s plain text if you visit an HTTP site.
What your SSH client sends between your computer and the remote server is always encrypted.
What your remote server does to connect to the requested website may be encrypted (if it’s an HTTPS site) or may be plain text, in case of plain HTTP.
Some parts of your SOCKS proxy are encrypted, some others are not.
If you’re somewhere with limited access, you might not be allowed to open an SSH connection to a remote server. You only need to get an SSH connection going, and you’re good to go.
So as an alternative, run your SSH server port on additional ports, like:80, :443 or:53: web and DNS traffic is usually allowed out of networks. Your best bet is:443, as it’s already an encrypted protocol and less chance of deep packet inspection middleware from blocking your connection because it doesn’t follow the expected protocol.
The chances of:53 working are also rather slim, as most DNS is UDP based and TCP is only use in either zone transfers or rare DNS occasions.
Visit any “what is my IP” website and refresh the page before and after your SOCKS proxy configuration.
If all went well, your IP should change to that of your remote SSH server, as that’s now the outgoing IP for your web browsing.
If your SSH tunnel is down, crashed or wasn’t started yet, your browser will kindly tell you that the SOCKS proxy is not responding.
If that’s the case, restart the ssh command, try a different port or check your local firewall settings.
Want to subscribe to the newsletter?
I write a weekly-ish newsletter on Linux, open source & webdevelopment called
It features the latest news, guides & tutorials and new open source projects. You can sign up via email below.
No spam. Just some good, practical Linux & open source content.
Frequently Asked Questions about linux socks proxy
How use SOCKS5 proxy in Linux?
To use it, just make your software use SOCKS5 proxy on your Linux computer’s IP, port 1080, and you’re done – all your requests will now get proxied. The first rule says, allow anyone from 1.2. 3.4 to connect to port 1080 , and the other rule says, deny everyone else from connecting to port 1080 .
How do I use SOCKS in Linux?
Configuring Your Browser to Use ProxySelect the Manual proxy configuration radio button.Enter 127.0. 0.1 in the SOCKS Host field and 9090 in the Port field.Check the Proxy DNS when using SOCKS v5 checkbox.Click on the OK button to save the settings.Mar 19, 2019
How do I use SOCKS proxy in terminal?
2 Answers. You can use http_proxy environmentvariable like this: export http_proxy=”socks5://localhost:9050″ Now the terminal will use that as proxy.Apr 17, 2015