How to Route All System Traffic Through SSH SOCKS Proxy Using -D Dynamic Port Forwarding


5 views

The ssh -D command creates a SOCKS proxy tunnel through your SSH connection. While many applications support SOCKS proxies individually, system-wide routing requires additional configuration.

This method redirects all outgoing traffic through your SSH proxy:

# Establish SSH tunnel (replace with your details)
ssh -f -N -D 1080 user@your.server.com

# Configure iptables rules
sudo iptables -t nat -A OUTPUT -p tcp --dport 80 -j REDIRECT --to-ports 1080
sudo iptables -t nat -A OUTPUT -p tcp --dport 443 -j REDIRECT --to-ports 1080

For GNOME/Ubuntu systems:

gsettings set org.gnome.system.proxy mode 'manual'
gsettings set org.gnome.system.proxy.socks host 'localhost'
gsettings set org.gnome.system.proxy.socks port 1080

For terminal-based applications:

export ALL_PROXY=socks5://localhost:1080
export HTTP_PROXY=socks5://localhost:1080
export HTTPS_PROXY=socks5://localhost:1080

To prevent DNS leaks when routing all traffic:

# Edit /etc/resolv.conf
nameserver 8.8.8.8
options edns0 single-request-reopen

Verify your IP is routed through proxy:

curl --socks5 localhost:1080 ifconfig.me
  • Check SSH server allows TCP forwarding (AllowTcpForwarding yes in sshd_config)
  • Ensure local firewall permits connections to proxy port
  • Test basic SSH connectivity before proxy setup

When working with ssh -D, we typically create a SOCKS proxy that applications can optionally use. However, system-wide traffic routing requires deeper network stack integration. The fundamental issue lies in intercepting outbound connections before they hit the network interface.

For Linux systems, we can leverage iptables to redirect traffic:


# Redirect all TCP traffic (except SSH) to local SOCKS proxy
sudo iptables -t nat -A OUTPUT -p tcp --dport ! 22 -j REDIRECT --to-port 1080

Combine this with a transparent proxy solution like redsocks:


# redsocks configuration example
base {
    log_debug = on;
    log_info = on;
    daemon = on;
    redirector = iptables;
}

redsocks {
    local_ip = 127.0.0.1;
    local_port = 1080;
    ip = 127.0.0.1;
    port = 9050; // Your SSH -D port
    type = socks5;
}

On macOS, we can use pfctl for similar functionality:


# Create anchor file
echo "rdr pass on lo0 inet proto tcp to any port 1:65535 -> 127.0.0.1 port 1080" > /etc/pf.anchors/proxy

For Windows systems, consider using Proxifier or implementing a custom TUN device:


# PowerShell command to check proxy settings
Get-NetConnectionProfile | Select-Object InterfaceIndex, Name, NetworkCategory

Always verify your setup with:


curl --socks5 localhost:1080 ifconfig.me
traceroute --icmp --tcp --port=80 example.com

Remember to:

  • Whitelist critical services (SSH, DNS)
  • Monitor for DNS leaks with tcpdump -i any port 53
  • Consider VPN alternatives for more comprehensive solutions