Secure travelling tips with iptables and SSH port forwarding
The general paranoia at conferences is such that there almost always is WiFi, and there almost always is someone wanting to snoop your traffic. I guess, in a similar vein, this could also happen at Starbucks. So, on day 1, at foss.in I tried to recollect what I used to do, ages ago (when I used to run Fedora on my R51, before the disk died, and I realised I lacked a backup of /root).
iptables
Firewalls break networks? They also secure networks. I have access to some legacy POP servers, that don’t support SSL/TLS like the IMAP servers I have access to. Firing up Thunderbird, to change the settings, to point to localhost, just seems like a waste of time. So the magic of iptables comes into play.
iptables -t nat -A PREROUTING -p tcp -d my.pop.server --dport 110 -j DNAT --to-destination 127.0.0.1:1235
iptables -t nat -A OUTPUT -p tcp -d my.pop.server --dport 110 -j DNAT --to-destination 127.0.0.1:1235
The above, ensures that to access my.pop.server:110, the traffic is automatically routed now to localhost:1235. Clearly, I don’t run a POP server on my laptop, so this is where SSH port forwarding comes into play.
SSH port forwarding
Provided you have access to a server via SSH, and you trust it, you can tunnel your traffic through it. Its made very easy by the:
-L localport:my.pop.server:foreignport
So using the above example, that would be -L 1235:my.pop.server:110.
Then, let’s not forget the useful -C option, to compress traffic.
And hey, web surfing isn’t secure either, so lets create a SOCKS5 proxy while we’re at it. ssh supports the -D option, which works a charm. Use it such that you have something like:
-D 8188
And now, configure your web browser, to use a SOCKS proxy, localhost:8188. You can also configure it in GNOME, under the Network Proxy, but it seems like not all applications respect it (for instance, I can get pidgin to segfault, and Liferea will not get RSS updates for some reason, etc.).
So to sum it up, your SSH command should look something like:
ssh -D 8188 -L 1235:my.pop.server:110 -C my.ssh.server
Discuss
Am I missing something? Do you have an easier iptables rule? Yes, I realise I can also use a VPN. If you have other tips, please don’t hesitate to comment. Thanks.
Technorati Tags: ssh, iptables, travel, tips, wifi, open access points, socks5
Why would you want to ever have unencrypted POP connections?
I tunnel all my POP connections through SSH all the time, small transfers have little overhead and messages with big attachments actually go faster due to the -C option.
For web browsing I use a local instance of Squid. If I was feeling paranoid about my web access I could reconfigure Squid to tunnel it easily and have all my HTTP client programs immediately be less vulnerable.
[…] so if the SSH tunnel isn’t up, I can’t POP my mail. I wrote about this in Secure travelling tips with iptables and SSH port forwarding, as that’s what I do on […]