Peter Benie wrote a very nice socks proxying library that can be preloaded into dynamically linked executables to make them do all their (tcp) network connections via a socks proxy.
His page describing it is here.
This page is a brief set of hints/howtos for using it under Linux.
I also have some information about porting to and running it under MacOS X
First, download socksproxy.so onto your machine. Note the full path to its location, such as
/some/path/to/socksproxy.so
Then, set up an openssh port forwarder:
ssh -2 -N -f userid@gate.eng.cam.ac.uk -D 1080[ Substituting your CUED account id for
userid ]
Now set your environment:
export LD_PRELOAD=/some/path/to/socksproxy.so export SOCKS_PROXY_NETWORK=129.169.0.0/16 export SOCKS_PROXY_USERNAME=userid
Any application you run from the shell that has that environment set should redirect tcp connections to any host in the CUED network via the openssh port forwarder.
The code that intercepts the connect() call checks if the connection
is to the ssh port, and sends those direct. So it should
be safe to run the ssh command above even after all the
environment variables have been set.
In this case, under linux, it should be safe for a user's
˜/.bashrc and ˜/.bash_profile
files to run the export commands listed above, so that
the environment variables are set for all processes started within
the desktop session.
It may be desirable, of course, to make this conditional on not being connected to the CUED network. There are a number of ways to do this; the following comes with no particular recommendation or guarantee:
if [ -z "$TESTEDCUED" ]; then
if netstat -rn | egrep -q '^129.169'; then
export TESTEDCUED=1
else
export TESTEDCUED=0
fi
fi
if [ "$TESTEDCUED" = 0 ]; then
export LD_PRELOAD=/some/path/to/socksproxy.so
export SOCKS_PROXY_NETWORK=129.169.0.0/16
fi
[ Note that this avoids running the netstat command if you've already
got TESTEDCUED set to 1 or 0 in your environment; otherwise
every shell would do this. ]
The downside of this is that any attempt to connect to anything in 129.169.*.* will block until the ssh command has been run.
People who suspend their laptops and then move to a different network will also find this approach inadequate.
If you feel confident in your use of ssh and are happy about the
changes to the security boundary that will result, it is feasible
to arrange (by the use of public keys) that the ssh command
that sets up the socks proxy tunnel can be run automatically and without
the need for the user to type a password.
My preference is to recommend having an alias for the ssh command, and just remembering to run it when necessary.