Anyone who grew up or lives in Ireland is familiar with BBC television thanks to cable and satellite TV. Because of our proximity to Wales and especially Northern Ireland, we in the east and north of the country have been able to receive BBC broadcasts for decades despite not paying a license fee in that country. I’ve long felt that this state of affairs should continue even into the Digitial Era despite BBC’s best efforts to lock iPlayer down to only those people who live in the United Kingdom (a.k.a., license fee payers). My attempts to circumvent their geo-location recognition mechanisms have always been fruitless until one day lest week when I was reading through the man page for SSH.

As I scanned the various command line flags for whatever it was that I was looking for my eyes settled for a moment on the description of the -D parameter and I had a minor epiphany. When you ssh to a remote host using the -D flag, ssh establishes an encrypted tunnel that listens on a TCP port on your local host. You can then direct traffic across this tunnel by specifying the port as a SOCKS proxy. Traffic pops out the other side and is forwarded to its destination, where it looks as though it originated on the device to which you SSHed. Clear as mud, so let’s try an example:

localhost$ ssh -D 8080 myuser@remotehost

This will establish an SSH session on remotehost and will open port 8080 on localhost. What you then do is open your web browser and set localhost:8080 as your SOCKS proxy server. All of your web traffic will be sent across the SSH session and will appear to originate on remotehost.

A few years ago a colleague of mine gave me a shell account on a server he runs in the UK. Up to now I haven’t had much use for the account other than for testing my routing configurations from an offnet server. Not any more!

Now, I don’t necessarily want to send all of my traffic across the SSH tunnel. For one thing, the encryption and compression inherent in the SSH connection limits the amount of bandwidth that I can send/receive. For another, if the SSH tunnel goes down for any reason (for example, if I close the lid on my laptop then the SSH session times out) all of my web traffic is being sent to a non-existant web proxy. Carnage, especially when my wife is trying to browse the Asos catalogue or watch ‘Home & Away’ in the RTE Player. Nor do I want to have to reconfigure my browser’s proxy settings every time I feel like looking at an episode of ‘Seven Ages of Britain’ or ‘QI XL’.

One of the neat things about the -D flag is that other PCs can use the tunnel that it creates as a SOCKS proxy. The neat thing about my router is that it runs Linux (OpenWRT to be exact). So I got to thinking: is there any way that I can use my router to selectively redirect web traffic into my SSH tunnel? Of course there is!

The first thing to do was to install Screen on my router. Screen is a terminal multiplexer – a program that acts as a wrapper around Linux/Unix shells, allowing you to attach and de-attach from them without losing your shell sessions. I start my SSH session in a Screen and then de-attach, leaving the session running in the background (and meaning that I don’t need to remain logged into my router from my laptop).

I then installed Privoxy, a proxy server. Privoxy has lots of great features but I chose it over Squid (which I’m more familiar with) for one reason: Privoxy supports forwarding into SOCKS proxies whereas Squid doesn’t. Privoxy seems to be lighter as well, always a concern on a device with limited memory. I’ve configured Privoxy to listen on port 8118 and to accept intercepted connections.

This last configuration point is the final and key piece in this puzzle. I added the following rule to my iptables ruleset:

iptables -t nat -A PREROUTING -i br-lan -p tcp -d 212.58.240.0/20 --dport 80 -j REDIRECT --to-ports 8118

This command is straightforward. Any traffic received on br-lan (i.e., any of my LAN interfaces) destined for BBC’s network (212.58.240/20) and with a destination TCP port of 80 (the port that webservers listen to) should be redirected (i.e., intercepted) to port 8118 on the router (8118 as I mentioned above is the port that Privoxy is listening on).

Now when I want to watch BBC iPlayer I don’t have to do anything – my BBC-destined web traffic is redirected to the SSH tunnel via Privoxy and my non-BBC traffic is allowed to exit via the router’s WAN interface unmolested. Sweeeeeeeet.

In honour of Finn’s second birthday tomorrow, I put together a montage of photos from the very first photo I ever took of him – when he was a few years old – to the most recent, taken on Tuesday last. Music is by The Ting Tings, ‘Great DJ’ – Finn’s favourite song (known to him as ‘ah ah song’). As always, please don’t sue me.

Just a quick post to point out that I’ve made an experimental Twitter/Flickr mash-up: twitickr.

First post of the New Year and first proper post in donkey’s!

The last two or three weeks have seen to ‘first proper’ events for Finn. To begin with, this was his first proper Christmas; that is to say, the first Christmas that he’s really been aware of what’s going on though he didn’t really understand all of it.

He knows who Santa is, for example, and will point him out when he sees a picture of him or someone dressed as him (or if he sees a polar bear, for some inexplicable reason). He’ll also tell him that Santa says ‘ho ho’ if you ask. But I don’t think he quite grasps the concept of Santa as a bringer of presents. Before we opened the sitting room door on Christmas morning, Áine and I told him that we could hear Santa trying to get back up the chimney. Finn got a bit frightened when we said this so we had to hold his hands while we opened the door for him and lead him into the room.

His reaction to his presents was funny; his main gift from Santa was a bike and he got a few other knick-knacks such as a ‘Roary the Racing Car’ racetrack, some books, a Fisher Price Noah’s Ark and so on. Santa had quite helpfully unpacked everything and set it up before heading off, leaving the bike at the front of the pile. Áine and I felt a bit relieved when we saw Finn race over and grab his bike – we had, after all, written his letter on his behalf. Imagine our dismay then when he pushed it out of the way so that he could get to Roary! The bike hasn’t had a look-in but that’s probably the weather. Right?

The other ‘first proper’ for Finn this year was snow. Last time he was too young to go out in it (and couldn’t walk anyway) so this year we brought him out for a few minutes. It had started to thaw so we couldn’t build him a snowman but he enjoyed stomping about in it. He wasn’t too impressed when he tried to pick some up and discovered how cold it can be though!

Barely.