Peter Benie wrote a very nice socks proxying library that can be preloaded into dynamically linked executables to make them do all their (tcp) network connections via a socks proxy.
His page describing it is here.
This page is a brief set of hints/howtos for using it under Linux.
I also have some information about porting to and running it under MacOS X
First, download socksproxy.so onto your machine. Note the full path to its location, such as
Then, set up an openssh port forwarder:
ssh -2 -N -f email@example.com -D 1080[ Substituting your CUED account id for
Now set your environment:
export LD_PRELOAD=/some/path/to/socksproxy.so export SOCKS_PROXY_NETWORK=220.127.116.11/16 export SOCKS_PROXY_USERNAME=userid
Any application you run from the shell that has that environment set should redirect tcp connections to any host in the CUED network via the openssh port forwarder.
The code that intercepts the connect() call checks if the connection
is to the
ssh port, and sends those direct. So it should
be safe to run the
ssh command above even after all the
environment variables have been set.
In this case, under linux, it should be safe for a user's
files to run the
export commands listed above, so that
the environment variables are set for all processes started within
the desktop session.
It may be desirable, of course, to make this conditional on not being connected to the CUED network. There are a number of ways to do this; the following comes with no particular recommendation or guarantee:
if [ -z "$TESTEDCUED" ]; then if netstat -rn | egrep -q '^129.169'; then export TESTEDCUED=1 else export TESTEDCUED=0 fi fi if [ "$TESTEDCUED" = 0 ]; then export LD_PRELOAD=/some/path/to/socksproxy.so export SOCKS_PROXY_NETWORK=18.104.22.168/16 fi[ Note that this avoids running the netstat command if you've already got TESTEDCUED set to 1 or 0 in your environment; otherwise every shell would do this. ]
The downside of this is that any attempt to connect to anything in 129.169.*.* will block until the ssh command has been run.
People who suspend their laptops and then move to a different network will also find this approach inadequate.
If you feel confident in your use of ssh and are happy about the
changes to the security boundary that will result, it is feasible
to arrange (by the use of public keys) that the
that sets up the socks proxy tunnel can be run automatically and without
the need for the user to type a password.
My preference is to recommend having an alias for the ssh command, and just remembering to run it when necessary.