A Quick and Dirty Proxy

September, 2025
A quick and dirty SOCKS proxy with SSH, RedSocks, and NFT rules

Why use a proxy?

On Linux, forwarding traffic is typically handled by the routing table. However, network rules outside your control may block traffic forwarding. In such cases, a tunnel can be the best workaround.

ssh -D 1080 -N -f user@host will create a secure SOCKS tunnel from one host to another. This works well for applications that respect the HTTP_PROXY and HTTPS_PROXY environment variables. For example:

HTTPS_PROXY=socks5h://127.0.0.1:1080 curl https://ifconfig.me

This is convenient for one‑off commands, but there’s a more flexible approach: use nftables to forward traffic to RedSocks listening on 127.0.0.1:12345, and let RedSocks forward traffic into the SSH SOCKS tunnel at 127.0.0.1:1080.

[HOST 1 → nftables rules → RedSocks:12345 → SOCKS tunnel:1080] ⇢ SSH ⇢ [HOST 2]

Configuration

First, install RedSocks. By default it listens on port 12345 and forwards to the local SOCKS tunnel on port 1080.

sudo apt update
sudo apt install redsocks
sudo systemctl start redsocks
sudo systemctl status redsocks
sudo journalctl -u redsocks -f

Next, add nftables firewall rules to redirect traffic destined for 192.168.1.0/24 to RedSocks:

sudo nft flush ruleset # or sudo nft delete table ip redsocks
sudo nft add table ip redsocks
sudo nft add chain ip redsocks OUTPUT '{ type nat hook prerouting priority -100; policy accept; }'
sudo nft add rule ip redsocks OUTPUT tcp dport 1080 return # ssh -D 1080
sudo nft add rule ip redsocks OUTPUT ip daddr 192.168.1.0/24 tcp dport != 12345 redirect to 12345 # RedSocks 12345
sudo nft list table ip redsocks

Finally, start the SSH tunnel:

ssh -D 1080 -N -f user@host

After the initial setup, you only need these seven commands:

sudo systemctl start redsocks
sudo nft add table ip redsocks
sudo nft add chain ip redsocks OUTPUT '{ type nat hook prerouting priority -100; policy accept; }'
sudo nft add rule ip redsocks OUTPUT tcp dport 1080 return # ssh -D 1080
sudo nft add rule ip redsocks OUTPUT ip daddr 192.168.1.0/24 tcp dport != 12345 redirect to 12345 # RedSocks 12345
ssh -D 1080 -N -f user@host
sudo journalctl -u redsocks -f

This isn’t production‑ready, but it’s quick and easy to configure—unlike most VPN‑based solutions.

Caveats

HTTPS_PROXY=socks5h://127.0.0.1:1080 curl https://ifconfig.me will perform hostname resolution over the SOCKS proxy, but the setup above will not without additional configuration.