extern/sshuttle
1
1
Fork 0
mirror of https://github.com/sshuttle/sshuttle.git synced 2024-11-22 16:03:57 +01:00
Code Issues Packages Projects Releases Wiki Activity
10ce1ee5d4
sshuttle/firewall.py

290 lines
9.1 KiB
Python
Raw Normal View History

import and use subprocess.py from python 2.6. This should hopefully let us run even on python 2.3 on really old servers.
2010-10-01 21:06:56 +02:00
import re, errno
import compat.ssubprocess as ssubprocess
Add a -v (and -vv) flag and decrease default message verbosity.
2010-05-02 08:14:20 +02:00
import helpers
iptables.py: completely replace ipt script. Doing it in python instead of shell makes the code a bit less error prone. Plus we can parse the iptables output and avoid triggering iptables errors.
2010-05-02 03:30:59 +02:00
from helpers import *
Parse options correctly; call ./ipt automatically.
2010-05-02 03:14:19 +02:00
iptables.py: completely replace ipt script. Doing it in python instead of shell makes the code a bit less error prone. Plus we can parse the iptables output and avoid triggering iptables errors.
2010-05-02 03:30:59 +02:00
Client "almost" works on MacOS and maybe FreeBSD. Basic forwarding now works on MacOS, assuming you set up ipfw correctly (ha ha). I wasted a few hours today trying to figure this out, and I'm *so very close*, but unfortunately it just didn't work. Think you can figure it out? Related changes: - don't die if iptables is unavailable - BSD uses getsockname() instead of SO_ORIGINAL_DST - non-blocking connect() returns EISCONN once it's connected - you can't setsockopt IP_TTL more than once
2010-05-05 00:24:43 +02:00
def ipt_chain_exists(name):
iptables.py: completely replace ipt script. Doing it in python instead of shell makes the code a bit less error prone. Plus we can parse the iptables output and avoid triggering iptables errors.
2010-05-02 03:30:59 +02:00
argv = ['iptables', '-t', 'nat', '-nL']
import and use subprocess.py from python 2.6. This should hopefully let us run even on python 2.3 on really old servers.
2010-10-01 21:06:56 +02:00
p = ssubprocess.Popen(argv, stdout = ssubprocess.PIPE)
iptables.py: completely replace ipt script. Doing it in python instead of shell makes the code a bit less error prone. Plus we can parse the iptables output and avoid triggering iptables errors.
2010-05-02 03:30:59 +02:00
for line in p.stdout:
if line.startswith('Chain %s ' % name):
return True
rv = p.wait()
if rv:
iptables: try launching with sudo, then su, then directly. Previous versions depended on having 'sudo' in your PATH. Now that we can feel safe that --iptables will clean up properly when you exit, and it doesn't need to authenticate twice, the advantages of sudo aren't strictly needed. Good old 'su' is a reasonable fallback - and everybody has it, which is nice. Unfortunately su doesn't let you redirect stdin, so I had to play a stupid fd trick to make it work.
2010-05-03 02:54:10 +02:00
raise Fatal('%r returned %d' % (argv, rv))
iptables.py: completely replace ipt script. Doing it in python instead of shell makes the code a bit less error prone. Plus we can parse the iptables output and avoid triggering iptables errors.
2010-05-02 03:30:59 +02:00
def ipt(*args):
argv = ['iptables', '-t', 'nat'] + list(args)
Add a -v (and -vv) flag and decrease default message verbosity.
2010-05-02 08:14:20 +02:00
debug1('>> %s\n' % ' '.join(argv))
import and use subprocess.py from python 2.6. This should hopefully let us run even on python 2.3 on really old servers.
2010-10-01 21:06:56 +02:00
rv = ssubprocess.call(argv)
iptables.py: completely replace ipt script. Doing it in python instead of shell makes the code a bit less error prone. Plus we can parse the iptables output and avoid triggering iptables errors.
2010-05-02 03:30:59 +02:00
if rv:
iptables: try launching with sudo, then su, then directly. Previous versions depended on having 'sudo' in your PATH. Now that we can feel safe that --iptables will clean up properly when you exit, and it doesn't need to authenticate twice, the advantages of sudo aren't strictly needed. Good old 'su' is a reasonable fallback - and everybody has it, which is nice. Unfortunately su doesn't let you redirect stdin, so I had to play a stupid fd trick to make it work.
2010-05-03 02:54:10 +02:00
raise Fatal('%r returned %d' % (argv, rv))
iptables.py: completely replace ipt script. Doing it in python instead of shell makes the code a bit less error prone. Plus we can parse the iptables output and avoid triggering iptables errors.
2010-05-02 03:30:59 +02:00
Client "almost" works on MacOS and maybe FreeBSD. Basic forwarding now works on MacOS, assuming you set up ipfw correctly (ha ha). I wasted a few hours today trying to figure this out, and I'm *so very close*, but unfortunately it just didn't work. Think you can figure it out? Related changes: - don't die if iptables is unavailable - BSD uses getsockname() instead of SO_ORIGINAL_DST - non-blocking connect() returns EISCONN once it's connected - you can't setsockopt IP_TTL more than once
2010-05-05 00:24:43 +02:00
# We name the chain based on the transproxy port number so that it's possible
# to run multiple copies of sshuttle at the same time. Of course, the
# multiple copies shouldn't have overlapping subnets, or only the most-
# recently-started one will win (because we use "-I OUTPUT 1" instead of
# "-A OUTPUT").
def do_iptables(port, subnets):
iptables.py: completely replace ipt script. Doing it in python instead of shell makes the code a bit less error prone. Plus we can parse the iptables output and avoid triggering iptables errors.
2010-05-02 03:30:59 +02:00
chain = 'sshuttle-%s' % port
# basic cleanup/setup of chains
Client "almost" works on MacOS and maybe FreeBSD. Basic forwarding now works on MacOS, assuming you set up ipfw correctly (ha ha). I wasted a few hours today trying to figure this out, and I'm *so very close*, but unfortunately it just didn't work. Think you can figure it out? Related changes: - don't die if iptables is unavailable - BSD uses getsockname() instead of SO_ORIGINAL_DST - non-blocking connect() returns EISCONN once it's connected - you can't setsockopt IP_TTL more than once
2010-05-05 00:24:43 +02:00
if ipt_chain_exists(chain):
iptables.py: completely replace ipt script. Doing it in python instead of shell makes the code a bit less error prone. Plus we can parse the iptables output and avoid triggering iptables errors.
2010-05-02 03:30:59 +02:00
ipt('-D', 'OUTPUT', '-j', chain)
iptables: add a PREROUTING rule so we can proxy for other machines too. If you run sshuttle on a router, it can handle vpn'ing for all the boxes on your network.
2010-05-02 08:00:19 +02:00
ipt('-D', 'PREROUTING', '-j', chain)
iptables.py: completely replace ipt script. Doing it in python instead of shell makes the code a bit less error prone. Plus we can parse the iptables output and avoid triggering iptables errors.
2010-05-02 03:30:59 +02:00
ipt('-F', chain)
ipt('-X', chain)
if subnets:
ipt('-N', chain)
ipt('-F', chain)
ipt('-I', 'OUTPUT', '1', '-j', chain)
iptables: add a PREROUTING rule so we can proxy for other machines too. If you run sshuttle on a router, it can handle vpn'ing for all the boxes on your network.
2010-05-02 08:00:19 +02:00
ipt('-I', 'PREROUTING', '1', '-j', chain)
iptables.py: completely replace ipt script. Doing it in python instead of shell makes the code a bit less error prone. Plus we can parse the iptables output and avoid triggering iptables errors.
2010-05-02 03:30:59 +02:00
Add a --exclude option for excluding subnets from routing. Also, add 127.0.0.0/8 to the default list of excludes. If you want to route 0/0, you almost certainly *don't* want to route localhost to the remote ssh server's localhost! Thanks to Edward for the suggestion.
2010-07-15 20:07:01 +02:00
# create new subnet entries. Note that we're sorting in a very
# particular order: we need to go from most-specific (largest swidth)
# to least-specific, and at any given level of specificity, we want
# excludes to come first. That's why the columns are in such a non-
# intuitive order.
for swidth,sexclude,snet in sorted(subnets, reverse=True):
if sexclude:
ipt('-A', chain, '-j', 'RETURN',
'--dest', '%s/%s' % (snet,swidth),
'-p', 'tcp')
else:
ipt('-A', chain, '-j', 'REDIRECT',
'--dest', '%s/%s' % (snet,swidth),
'-p', 'tcp',
'--to-ports', str(port),
'-m', 'ttl', '!', '--ttl', '42' # to prevent infinite loops
)
iptables: more resilient startup/cleanup. Now the sudo iptables subprocess persists for the entire life of sshuttle. The benefits of this are: - no need to authenticate again at shutdown (failure of which could cause us to not clean up iptables) - if the main process dies unexpectedly, iptables still gets cleaned up - the password prompt can happen *before* starting the ssh/server process, which means it'll stand out and the password prompt won't be overwritten.
2010-05-03 01:29:03 +02:00
Client "almost" works on MacOS and maybe FreeBSD. Basic forwarding now works on MacOS, assuming you set up ipfw correctly (ha ha). I wasted a few hours today trying to figure this out, and I'm *so very close*, but unfortunately it just didn't work. Think you can figure it out? Related changes: - don't die if iptables is unavailable - BSD uses getsockname() instead of SO_ORIGINAL_DST - non-blocking connect() returns EISCONN once it's connected - you can't setsockopt IP_TTL more than once
2010-05-05 00:24:43 +02:00
def ipfw_rule_exists(n):
argv = ['ipfw', 'list']
import and use subprocess.py from python 2.6. This should hopefully let us run even on python 2.3 on really old servers.
2010-10-01 21:06:56 +02:00
p = ssubprocess.Popen(argv, stdout = ssubprocess.PIPE)
BSD ipfw: switch from 'established' to 'keep-state/check-state'. It turns out 'established' doesn't work the way I expected it to from iptables; it's not stateful. It just checks the TCP flags to see if the connection *thinks* it's already established, and follows the rule if so. That caused the first packet of each new connection to set sent to our transproxy, but not the subsequent ones, so weird stuff happened. With this change, any (matching) connection created *after* starting sshuttle will get forwarded, but pre-existing ones - most importantly, sshuttle's own ssh connection - will not. And with this (plus the previous commit), sshuttle works on MacOS, including 10.6!
2010-10-01 09:00:45 +02:00
found = False
Client "almost" works on MacOS and maybe FreeBSD. Basic forwarding now works on MacOS, assuming you set up ipfw correctly (ha ha). I wasted a few hours today trying to figure this out, and I'm *so very close*, but unfortunately it just didn't work. Think you can figure it out? Related changes: - don't die if iptables is unavailable - BSD uses getsockname() instead of SO_ORIGINAL_DST - non-blocking connect() returns EISCONN once it's connected - you can't setsockopt IP_TTL more than once
2010-05-05 00:24:43 +02:00
for line in p.stdout:
if line.startswith('%05d ' % n):
BSD ipfw: switch from 'established' to 'keep-state/check-state'. It turns out 'established' doesn't work the way I expected it to from iptables; it's not stateful. It just checks the TCP flags to see if the connection *thinks* it's already established, and follows the rule if so. That caused the first packet of each new connection to set sent to our transproxy, but not the subsequent ones, so weird stuff happened. With this change, any (matching) connection created *after* starting sshuttle will get forwarded, but pre-existing ones - most importantly, sshuttle's own ssh connection - will not. And with this (plus the previous commit), sshuttle works on MacOS, including 10.6!
2010-10-01 09:00:45 +02:00
if not ('ipttl 42 setup keep-state' in line
or ('skipto %d' % (n+1)) in line
or 'check-state' in line):
log('non-sshuttle ipfw rule: %r\n' % line.strip())
Client "almost" works on MacOS and maybe FreeBSD. Basic forwarding now works on MacOS, assuming you set up ipfw correctly (ha ha). I wasted a few hours today trying to figure this out, and I'm *so very close*, but unfortunately it just didn't work. Think you can figure it out? Related changes: - don't die if iptables is unavailable - BSD uses getsockname() instead of SO_ORIGINAL_DST - non-blocking connect() returns EISCONN once it's connected - you can't setsockopt IP_TTL more than once
2010-05-05 00:24:43 +02:00
raise Fatal('non-sshuttle ipfw rule #%d already exists!' % n)
BSD ipfw: switch from 'established' to 'keep-state/check-state'. It turns out 'established' doesn't work the way I expected it to from iptables; it's not stateful. It just checks the TCP flags to see if the connection *thinks* it's already established, and follows the rule if so. That caused the first packet of each new connection to set sent to our transproxy, but not the subsequent ones, so weird stuff happened. With this change, any (matching) connection created *after* starting sshuttle will get forwarded, but pre-existing ones - most importantly, sshuttle's own ssh connection - will not. And with this (plus the previous commit), sshuttle works on MacOS, including 10.6!
2010-10-01 09:00:45 +02:00
found = True
Client "almost" works on MacOS and maybe FreeBSD. Basic forwarding now works on MacOS, assuming you set up ipfw correctly (ha ha). I wasted a few hours today trying to figure this out, and I'm *so very close*, but unfortunately it just didn't work. Think you can figure it out? Related changes: - don't die if iptables is unavailable - BSD uses getsockname() instead of SO_ORIGINAL_DST - non-blocking connect() returns EISCONN once it's connected - you can't setsockopt IP_TTL more than once
2010-05-05 00:24:43 +02:00
rv = p.wait()
if rv:
raise Fatal('%r returned %d' % (argv, rv))
BSD ipfw: switch from 'established' to 'keep-state/check-state'. It turns out 'established' doesn't work the way I expected it to from iptables; it's not stateful. It just checks the TCP flags to see if the connection *thinks* it's already established, and follows the rule if so. That caused the first packet of each new connection to set sent to our transproxy, but not the subsequent ones, so weird stuff happened. With this change, any (matching) connection created *after* starting sshuttle will get forwarded, but pre-existing ones - most importantly, sshuttle's own ssh connection - will not. And with this (plus the previous commit), sshuttle works on MacOS, including 10.6!
2010-10-01 09:00:45 +02:00
return found
Client "almost" works on MacOS and maybe FreeBSD. Basic forwarding now works on MacOS, assuming you set up ipfw correctly (ha ha). I wasted a few hours today trying to figure this out, and I'm *so very close*, but unfortunately it just didn't work. Think you can figure it out? Related changes: - don't die if iptables is unavailable - BSD uses getsockname() instead of SO_ORIGINAL_DST - non-blocking connect() returns EISCONN once it's connected - you can't setsockopt IP_TTL more than once
2010-05-05 00:24:43 +02:00
def sysctl_get(name):
argv = ['sysctl', '-n', name]
import and use subprocess.py from python 2.6. This should hopefully let us run even on python 2.3 on really old servers.
2010-10-01 21:06:56 +02:00
p = ssubprocess.Popen(argv, stdout = ssubprocess.PIPE)
Client "almost" works on MacOS and maybe FreeBSD. Basic forwarding now works on MacOS, assuming you set up ipfw correctly (ha ha). I wasted a few hours today trying to figure this out, and I'm *so very close*, but unfortunately it just didn't work. Think you can figure it out? Related changes: - don't die if iptables is unavailable - BSD uses getsockname() instead of SO_ORIGINAL_DST - non-blocking connect() returns EISCONN once it's connected - you can't setsockopt IP_TTL more than once
2010-05-05 00:24:43 +02:00
line = p.stdout.readline()
rv = p.wait()
if rv:
raise Fatal('%r returned %d' % (argv, rv))
if not line:
raise Fatal('%r returned no data' % (argv,))
assert(line[-1] == '\n')
return line[:-1]
def _sysctl_set(name, val):
argv = ['sysctl', '-w', '%s=%s' % (name, val)]
debug1('>> %s\n' % ' '.join(argv))
import and use subprocess.py from python 2.6. This should hopefully let us run even on python 2.3 on really old servers.
2010-10-01 21:06:56 +02:00
rv = ssubprocess.call(argv, stdout = open('/dev/null', 'w'))
Client "almost" works on MacOS and maybe FreeBSD. Basic forwarding now works on MacOS, assuming you set up ipfw correctly (ha ha). I wasted a few hours today trying to figure this out, and I'm *so very close*, but unfortunately it just didn't work. Think you can figure it out? Related changes: - don't die if iptables is unavailable - BSD uses getsockname() instead of SO_ORIGINAL_DST - non-blocking connect() returns EISCONN once it's connected - you can't setsockopt IP_TTL more than once
2010-05-05 00:24:43 +02:00
_oldctls = []
def sysctl_set(name, val):
oldval = sysctl_get(name)
if str(val) != str(oldval):
_oldctls.append((name, oldval))
return _sysctl_set(name, val)
def ipfw(*args):
argv = ['ipfw', '-q'] + list(args)
debug1('>> %s\n' % ' '.join(argv))
import and use subprocess.py from python 2.6. This should hopefully let us run even on python 2.3 on really old servers.
2010-10-01 21:06:56 +02:00
rv = ssubprocess.call(argv)
Client "almost" works on MacOS and maybe FreeBSD. Basic forwarding now works on MacOS, assuming you set up ipfw correctly (ha ha). I wasted a few hours today trying to figure this out, and I'm *so very close*, but unfortunately it just didn't work. Think you can figure it out? Related changes: - don't die if iptables is unavailable - BSD uses getsockname() instead of SO_ORIGINAL_DST - non-blocking connect() returns EISCONN once it's connected - you can't setsockopt IP_TTL more than once
2010-05-05 00:24:43 +02:00
if rv:
raise Fatal('%r returned %d' % (argv, rv))
def do_ipfw(port, subnets):
sport = str(port)
Add a --exclude option for excluding subnets from routing. Also, add 127.0.0.0/8 to the default list of excludes. If you want to route 0/0, you almost certainly *don't* want to route localhost to the remote ssh server's localhost! Thanks to Edward for the suggestion.
2010-07-15 20:07:01 +02:00
xsport = str(port+1)
Client "almost" works on MacOS and maybe FreeBSD. Basic forwarding now works on MacOS, assuming you set up ipfw correctly (ha ha). I wasted a few hours today trying to figure this out, and I'm *so very close*, but unfortunately it just didn't work. Think you can figure it out? Related changes: - don't die if iptables is unavailable - BSD uses getsockname() instead of SO_ORIGINAL_DST - non-blocking connect() returns EISCONN once it's connected - you can't setsockopt IP_TTL more than once
2010-05-05 00:24:43 +02:00
# cleanup any existing rules
if ipfw_rule_exists(port):
ipfw: use 'delete' instead of 'del' to avoid a warning on freebsd. 'del' is an abbreviation that happened to work because of substring matching in earlier versions of ipfw, but apparently they're planning to remove the substring matching eventually. In any case, 'delete' has always worked, so there's no downside to using that. Reported by Ed Maste.
2010-10-05 19:29:12 +02:00
ipfw('delete', sport)
Client "almost" works on MacOS and maybe FreeBSD. Basic forwarding now works on MacOS, assuming you set up ipfw correctly (ha ha). I wasted a few hours today trying to figure this out, and I'm *so very close*, but unfortunately it just didn't work. Think you can figure it out? Related changes: - don't die if iptables is unavailable - BSD uses getsockname() instead of SO_ORIGINAL_DST - non-blocking connect() returns EISCONN once it's connected - you can't setsockopt IP_TTL more than once
2010-05-05 00:24:43 +02:00
while _oldctls:
(name,oldval) = _oldctls.pop()
_sysctl_set(name, oldval)
if subnets:
sysctl_set('net.inet.ip.fw.enable', 1)
Magic incantation to mostly fix MacOS 10.6. It comes down to this: sysctl_set('net.inet.ip.scopedroute', 0) I say "mostly" because actually it doesn't fix it; sshuttle doesn't know what to do with the received connection, so there must be a minor bug remaining somewhere. I'll fix that next. Thanks to dkf <dfortunato@gmail.com> on the sshuttle mailing list for suggesting the magic fix. He points at this post in particular: http://discussions.apple.com/thread.jspa?messageID=11558355&#11558355 that gave him the necessary clue.
2010-10-01 08:19:18 +02:00
sysctl_set('net.inet.ip.scopedroute', 0)
BSD: "ipfw add %d accept ip from any to any established" With this rule, we don't interfere with already-established (or incoming) connections to routes that we're about to take over. This is what happens by default in Linux/iptables.
2010-05-08 02:06:26 +02:00
BSD ipfw: switch from 'established' to 'keep-state/check-state'. It turns out 'established' doesn't work the way I expected it to from iptables; it's not stateful. It just checks the TCP flags to see if the connection *thinks* it's already established, and follows the rule if so. That caused the first packet of each new connection to set sent to our transproxy, but not the subsequent ones, so weird stuff happened. With this change, any (matching) connection created *after* starting sshuttle will get forwarded, but pre-existing ones - most importantly, sshuttle's own ssh connection - will not. And with this (plus the previous commit), sshuttle works on MacOS, including 10.6!
2010-10-01 09:00:45 +02:00
ipfw('add', sport, 'check-state', 'ip',
'from', 'any', 'to', 'any')
Client "almost" works on MacOS and maybe FreeBSD. Basic forwarding now works on MacOS, assuming you set up ipfw correctly (ha ha). I wasted a few hours today trying to figure this out, and I'm *so very close*, but unfortunately it just didn't work. Think you can figure it out? Related changes: - don't die if iptables is unavailable - BSD uses getsockname() instead of SO_ORIGINAL_DST - non-blocking connect() returns EISCONN once it's connected - you can't setsockopt IP_TTL more than once
2010-05-05 00:24:43 +02:00
# create new subnet entries
Add a --exclude option for excluding subnets from routing. Also, add 127.0.0.0/8 to the default list of excludes. If you want to route 0/0, you almost certainly *don't* want to route localhost to the remote ssh server's localhost! Thanks to Edward for the suggestion.
2010-07-15 20:07:01 +02:00
for swidth,sexclude,snet in sorted(subnets, reverse=True):
if sexclude:
ipfw('add', sport, 'skipto', xsport,
'log', 'tcp',
'from', 'any', 'to', '%s/%s' % (snet,swidth))
else:
ipfw('add', sport, 'fwd', '127.0.0.1,%d' % port,
'log', 'tcp',
'from', 'any', 'to', '%s/%s' % (snet,swidth),
BSD ipfw: switch from 'established' to 'keep-state/check-state'. It turns out 'established' doesn't work the way I expected it to from iptables; it's not stateful. It just checks the TCP flags to see if the connection *thinks* it's already established, and follows the rule if so. That caused the first packet of each new connection to set sent to our transproxy, but not the subsequent ones, so weird stuff happened. With this change, any (matching) connection created *after* starting sshuttle will get forwarded, but pre-existing ones - most importantly, sshuttle's own ssh connection - will not. And with this (plus the previous commit), sshuttle works on MacOS, including 10.6!
2010-10-01 09:00:45 +02:00
'not', 'ipttl', '42', 'keep-state', 'setup')
Client "almost" works on MacOS and maybe FreeBSD. Basic forwarding now works on MacOS, assuming you set up ipfw correctly (ha ha). I wasted a few hours today trying to figure this out, and I'm *so very close*, but unfortunately it just didn't work. Think you can figure it out? Related changes: - don't die if iptables is unavailable - BSD uses getsockname() instead of SO_ORIGINAL_DST - non-blocking connect() returns EISCONN once it's connected - you can't setsockopt IP_TTL more than once
2010-05-05 00:24:43 +02:00
def program_exists(name):
paths = (os.getenv('PATH') or os.defpath).split(os.pathsep)
for p in paths:
fn = '%s/%s' % (p, name)
if os.path.exists(fn):
return not os.path.isdir(fn) and os.access(fn, os.X_OK)
Added new --auto-hosts and --seed-hosts options to the client. Now if you use --auto-hosts (-H), the client will ask the server to spawn a hostwatcher to add names. That, in turn, will send names back to the server, which sends them back to the client, which sends them to the firewall subprocess, which will write them to /etc/hosts. Whew! Only the firewall process can write to /etc/hosts, of course, because only he's running as root. Since the name discovery process is kind of slow, we cache the names in ~/.sshuttle.hosts on the remote server. Right now, most of the names are discovered using nmblookup and smbclient, as well as by reading the existing entries in /etc/hosts. What would really be nice would be to query active directory or mdns somehow... but I don't really know how those work, so this is what you get for now :) It's pretty neat, at least.
2010-05-08 09:03:12 +02:00
hostmap = {}
def rewrite_etc_hosts(port):
HOSTSFILE='/etc/hosts'
BAKFILE='%s.sbak' % HOSTSFILE
APPEND='# sshuttle-firewall-%d AUTOCREATED' % port
old_content = ''
firewall: preserve permissions on /etc/hosts Pointed out by nisc on github. If people use an unusual umask or have funny permissions on /etc/hosts, sshuttle would screw it up. We also use hardlinks to atomically backup the original /etc/hosts to /etc/hosts.sbak the first time, rather than manually copying it. Not sure why I didn't think of that before.
2010-05-09 17:22:05 +02:00
st = None
Added new --auto-hosts and --seed-hosts options to the client. Now if you use --auto-hosts (-H), the client will ask the server to spawn a hostwatcher to add names. That, in turn, will send names back to the server, which sends them back to the client, which sends them to the firewall subprocess, which will write them to /etc/hosts. Whew! Only the firewall process can write to /etc/hosts, of course, because only he's running as root. Since the name discovery process is kind of slow, we cache the names in ~/.sshuttle.hosts on the remote server. Right now, most of the names are discovered using nmblookup and smbclient, as well as by reading the existing entries in /etc/hosts. What would really be nice would be to query active directory or mdns somehow... but I don't really know how those work, so this is what you get for now :) It's pretty neat, at least.
2010-05-08 09:03:12 +02:00
try:
old_content = open(HOSTSFILE).read()
firewall: preserve permissions on /etc/hosts Pointed out by nisc on github. If people use an unusual umask or have funny permissions on /etc/hosts, sshuttle would screw it up. We also use hardlinks to atomically backup the original /etc/hosts to /etc/hosts.sbak the first time, rather than manually copying it. Not sure why I didn't think of that before.
2010-05-09 17:22:05 +02:00
st = os.stat(HOSTSFILE)
Added new --auto-hosts and --seed-hosts options to the client. Now if you use --auto-hosts (-H), the client will ask the server to spawn a hostwatcher to add names. That, in turn, will send names back to the server, which sends them back to the client, which sends them to the firewall subprocess, which will write them to /etc/hosts. Whew! Only the firewall process can write to /etc/hosts, of course, because only he's running as root. Since the name discovery process is kind of slow, we cache the names in ~/.sshuttle.hosts on the remote server. Right now, most of the names are discovered using nmblookup and smbclient, as well as by reading the existing entries in /etc/hosts. What would really be nice would be to query active directory or mdns somehow... but I don't really know how those work, so this is what you get for now :) It's pretty neat, at least.
2010-05-08 09:03:12 +02:00
except IOError, e:
if e.errno == errno.ENOENT:
pass
else:
raise
if old_content.strip() and not os.path.exists(BAKFILE):
firewall: preserve permissions on /etc/hosts Pointed out by nisc on github. If people use an unusual umask or have funny permissions on /etc/hosts, sshuttle would screw it up. We also use hardlinks to atomically backup the original /etc/hosts to /etc/hosts.sbak the first time, rather than manually copying it. Not sure why I didn't think of that before.
2010-05-09 17:22:05 +02:00
os.link(HOSTSFILE, BAKFILE)
Added new --auto-hosts and --seed-hosts options to the client. Now if you use --auto-hosts (-H), the client will ask the server to spawn a hostwatcher to add names. That, in turn, will send names back to the server, which sends them back to the client, which sends them to the firewall subprocess, which will write them to /etc/hosts. Whew! Only the firewall process can write to /etc/hosts, of course, because only he's running as root. Since the name discovery process is kind of slow, we cache the names in ~/.sshuttle.hosts on the remote server. Right now, most of the names are discovered using nmblookup and smbclient, as well as by reading the existing entries in /etc/hosts. What would really be nice would be to query active directory or mdns somehow... but I don't really know how those work, so this is what you get for now :) It's pretty neat, at least.
2010-05-08 09:03:12 +02:00
tmpname = "%s.%d.tmp" % (HOSTSFILE, port)
f = open(tmpname, 'w')
for line in old_content.rstrip().split('\n'):
if line.find(APPEND) >= 0:
continue
f.write('%s\n' % line)
for (name,ip) in sorted(hostmap.items()):
f.write('%-30s %s\n' % ('%s %s' % (ip,name), APPEND))
f.close()
firewall: preserve permissions on /etc/hosts Pointed out by nisc on github. If people use an unusual umask or have funny permissions on /etc/hosts, sshuttle would screw it up. We also use hardlinks to atomically backup the original /etc/hosts to /etc/hosts.sbak the first time, rather than manually copying it. Not sure why I didn't think of that before.
2010-05-09 17:22:05 +02:00
if st:
os.chown(tmpname, st.st_uid, st.st_gid)
os.chmod(tmpname, st.st_mode)
else:
os.chown(tmpname, 0, 0)
os.chmod(tmpname, 0644)
Added new --auto-hosts and --seed-hosts options to the client. Now if you use --auto-hosts (-H), the client will ask the server to spawn a hostwatcher to add names. That, in turn, will send names back to the server, which sends them back to the client, which sends them to the firewall subprocess, which will write them to /etc/hosts. Whew! Only the firewall process can write to /etc/hosts, of course, because only he's running as root. Since the name discovery process is kind of slow, we cache the names in ~/.sshuttle.hosts on the remote server. Right now, most of the names are discovered using nmblookup and smbclient, as well as by reading the existing entries in /etc/hosts. What would really be nice would be to query active directory or mdns somehow... but I don't really know how those work, so this is what you get for now :) It's pretty neat, at least.
2010-05-08 09:03:12 +02:00
os.rename(tmpname, HOSTSFILE)
def restore_etc_hosts(port):
global hostmap
hostmap = {}
rewrite_etc_hosts(port)
Client "almost" works on MacOS and maybe FreeBSD. Basic forwarding now works on MacOS, assuming you set up ipfw correctly (ha ha). I wasted a few hours today trying to figure this out, and I'm *so very close*, but unfortunately it just didn't work. Think you can figure it out? Related changes: - don't die if iptables is unavailable - BSD uses getsockname() instead of SO_ORIGINAL_DST - non-blocking connect() returns EISCONN once it's connected - you can't setsockopt IP_TTL more than once
2010-05-05 00:24:43 +02:00
# This is some voodoo for setting up the kernel's transparent
# proxying stuff. If subnets is empty, we just delete our sshuttle rules;
# otherwise we delete it, then make them from scratch.
iptables: more resilient startup/cleanup. Now the sudo iptables subprocess persists for the entire life of sshuttle. The benefits of this are: - no need to authenticate again at shutdown (failure of which could cause us to not clean up iptables) - if the main process dies unexpectedly, iptables still gets cleaned up - the password prompt can happen *before* starting the ssh/server process, which means it'll stand out and the password prompt won't be overwritten.
2010-05-03 01:29:03 +02:00
#
Client "almost" works on MacOS and maybe FreeBSD. Basic forwarding now works on MacOS, assuming you set up ipfw correctly (ha ha). I wasted a few hours today trying to figure this out, and I'm *so very close*, but unfortunately it just didn't work. Think you can figure it out? Related changes: - don't die if iptables is unavailable - BSD uses getsockname() instead of SO_ORIGINAL_DST - non-blocking connect() returns EISCONN once it's connected - you can't setsockopt IP_TTL more than once
2010-05-05 00:24:43 +02:00
# This code is supposed to clean up after itself by deleting its rules on
iptables: more resilient startup/cleanup. Now the sudo iptables subprocess persists for the entire life of sshuttle. The benefits of this are: - no need to authenticate again at shutdown (failure of which could cause us to not clean up iptables) - if the main process dies unexpectedly, iptables still gets cleaned up - the password prompt can happen *before* starting the ssh/server process, which means it'll stand out and the password prompt won't be overwritten.
2010-05-03 01:29:03 +02:00
# exit. In case that fails, it's not the end of the world; future runs will
Client "almost" works on MacOS and maybe FreeBSD. Basic forwarding now works on MacOS, assuming you set up ipfw correctly (ha ha). I wasted a few hours today trying to figure this out, and I'm *so very close*, but unfortunately it just didn't work. Think you can figure it out? Related changes: - don't die if iptables is unavailable - BSD uses getsockname() instead of SO_ORIGINAL_DST - non-blocking connect() returns EISCONN once it's connected - you can't setsockopt IP_TTL more than once
2010-05-05 00:24:43 +02:00
# supercede it in the transproxy list, at least, so the leftover rules
# are hopefully harmless.
Add -N (--auto-nets) option for auto-discovering subnets. Now if you do ./sshuttle -Nr username@myservername It'll automatically route the "local" subnets (ie., stuff in the routing table) from myservername. This is (hopefully a reasonable default setting for most people.
2010-05-08 02:02:04 +02:00
def main(port):
iptables: more resilient startup/cleanup. Now the sudo iptables subprocess persists for the entire life of sshuttle. The benefits of this are: - no need to authenticate again at shutdown (failure of which could cause us to not clean up iptables) - if the main process dies unexpectedly, iptables still gets cleaned up - the password prompt can happen *before* starting the ssh/server process, which means it'll stand out and the password prompt won't be overwritten.
2010-05-03 01:29:03 +02:00
assert(port > 0)
assert(port <= 65535)
iptables: try launching with sudo, then su, then directly. Previous versions depended on having 'sudo' in your PATH. Now that we can feel safe that --iptables will clean up properly when you exit, and it doesn't need to authenticate twice, the advantages of sudo aren't strictly needed. Good old 'su' is a reasonable fallback - and everybody has it, which is nice. Unfortunately su doesn't let you redirect stdin, so I had to play a stupid fd trick to make it work.
2010-05-03 02:54:10 +02:00
if os.getuid() != 0:
Client "almost" works on MacOS and maybe FreeBSD. Basic forwarding now works on MacOS, assuming you set up ipfw correctly (ha ha). I wasted a few hours today trying to figure this out, and I'm *so very close*, but unfortunately it just didn't work. Think you can figure it out? Related changes: - don't die if iptables is unavailable - BSD uses getsockname() instead of SO_ORIGINAL_DST - non-blocking connect() returns EISCONN once it's connected - you can't setsockopt IP_TTL more than once
2010-05-05 00:24:43 +02:00
raise Fatal('you must be root (or enable su/sudo) to set the firewall')
if program_exists('ipfw'):
do_it = do_ipfw
elif program_exists('iptables'):
do_it = do_iptables
else:
raise Fatal("can't find either ipfw or iptables; check your PATH")
iptables: try launching with sudo, then su, then directly. Previous versions depended on having 'sudo' in your PATH. Now that we can feel safe that --iptables will clean up properly when you exit, and it doesn't need to authenticate twice, the advantages of sudo aren't strictly needed. Good old 'su' is a reasonable fallback - and everybody has it, which is nice. Unfortunately su doesn't let you redirect stdin, so I had to play a stupid fd trick to make it work.
2010-05-03 02:54:10 +02:00
# because of limitations of the 'su' command, the *real* stdin/stdout
# are both attached to stdout initially. Clone stdout into stdin so we
# can read from it.
os.dup2(1, 0)
Client "almost" works on MacOS and maybe FreeBSD. Basic forwarding now works on MacOS, assuming you set up ipfw correctly (ha ha). I wasted a few hours today trying to figure this out, and I'm *so very close*, but unfortunately it just didn't work. Think you can figure it out? Related changes: - don't die if iptables is unavailable - BSD uses getsockname() instead of SO_ORIGINAL_DST - non-blocking connect() returns EISCONN once it's connected - you can't setsockopt IP_TTL more than once
2010-05-05 00:24:43 +02:00
debug1('firewall manager ready.\n')
iptables: more resilient startup/cleanup. Now the sudo iptables subprocess persists for the entire life of sshuttle. The benefits of this are: - no need to authenticate again at shutdown (failure of which could cause us to not clean up iptables) - if the main process dies unexpectedly, iptables still gets cleaned up - the password prompt can happen *before* starting the ssh/server process, which means it'll stand out and the password prompt won't be overwritten.
2010-05-03 01:29:03 +02:00
sys.stdout.write('READY\n')
sys.stdout.flush()
# ctrl-c shouldn't be passed along to me. When the main sshuttle dies,
# I'll die automatically.
os.setsid()
# we wait until we get some input before creating the rules. That way,
# sshuttle can launch us as early as possible (and get sudo password
# authentication as early in the startup process as possible).
iptables: if client dies before sending GO, just quit. If the server was having trouble starting, we would print a lot of unnecessary stuff from iptables. We shouldn't even have bothered *starting* iptables if the server was dead anyway.
2010-05-03 03:06:31 +02:00
line = sys.stdin.readline(128)
if not line:
return # parent died; nothing to do
Add -N (--auto-nets) option for auto-discovering subnets. Now if you do ./sshuttle -Nr username@myservername It'll automatically route the "local" subnets (ie., stuff in the routing table) from myservername. This is (hopefully a reasonable default setting for most people.
2010-05-08 02:02:04 +02:00
subnets = []
if line != 'ROUTES\n':
raise Fatal('firewall: expected ROUTES but got %r' % line)
while 1:
line = sys.stdin.readline(128)
if not line:
raise Fatal('firewall: expected route but got %r' % line)
elif line == 'GO\n':
break
try:
Add a --exclude option for excluding subnets from routing. Also, add 127.0.0.0/8 to the default list of excludes. If you want to route 0/0, you almost certainly *don't* want to route localhost to the remote ssh server's localhost! Thanks to Edward for the suggestion.
2010-07-15 20:07:01 +02:00
(width,exclude,ip) = line.strip().split(',', 2)
Add -N (--auto-nets) option for auto-discovering subnets. Now if you do ./sshuttle -Nr username@myservername It'll automatically route the "local" subnets (ie., stuff in the routing table) from myservername. This is (hopefully a reasonable default setting for most people.
2010-05-08 02:02:04 +02:00
except:
raise Fatal('firewall: expected route or GO but got %r' % line)
Add a --exclude option for excluding subnets from routing. Also, add 127.0.0.0/8 to the default list of excludes. If you want to route 0/0, you almost certainly *don't* want to route localhost to the remote ssh server's localhost! Thanks to Edward for the suggestion.
2010-07-15 20:07:01 +02:00
subnets.append((int(width), bool(int(exclude)), ip))
iptables: more resilient startup/cleanup. Now the sudo iptables subprocess persists for the entire life of sshuttle. The benefits of this are: - no need to authenticate again at shutdown (failure of which could cause us to not clean up iptables) - if the main process dies unexpectedly, iptables still gets cleaned up - the password prompt can happen *before* starting the ssh/server process, which means it'll stand out and the password prompt won't be overwritten.
2010-05-03 01:29:03 +02:00
try:
iptables: if client dies before sending GO, just quit. If the server was having trouble starting, we would print a lot of unnecessary stuff from iptables. We shouldn't even have bothered *starting* iptables if the server was dead anyway.
2010-05-03 03:06:31 +02:00
if line:
Client "almost" works on MacOS and maybe FreeBSD. Basic forwarding now works on MacOS, assuming you set up ipfw correctly (ha ha). I wasted a few hours today trying to figure this out, and I'm *so very close*, but unfortunately it just didn't work. Think you can figure it out? Related changes: - don't die if iptables is unavailable - BSD uses getsockname() instead of SO_ORIGINAL_DST - non-blocking connect() returns EISCONN once it's connected - you can't setsockopt IP_TTL more than once
2010-05-05 00:24:43 +02:00
debug1('firewall manager: starting transproxy.\n')
iptables: if client dies before sending GO, just quit. If the server was having trouble starting, we would print a lot of unnecessary stuff from iptables. We shouldn't even have bothered *starting* iptables if the server was dead anyway.
2010-05-03 03:06:31 +02:00
do_it(port, subnets)
sys.stdout.write('STARTED\n')
iptables: die quietly if parent process dies. If we can't communicate with the parent process, he's probably died unexpectedly; just shut down and don't bother people about it.
2010-05-03 03:01:30 +02:00
try:
sys.stdout.flush()
except IOError:
# the parent process died for some reason; he's surely been loud
# enough, so no reason to report another error
return
iptables: try launching with sudo, then su, then directly. Previous versions depended on having 'sudo' in your PATH. Now that we can feel safe that --iptables will clean up properly when you exit, and it doesn't need to authenticate twice, the advantages of sudo aren't strictly needed. Good old 'su' is a reasonable fallback - and everybody has it, which is nice. Unfortunately su doesn't let you redirect stdin, so I had to play a stupid fd trick to make it work.
2010-05-03 02:54:10 +02:00
Added new --auto-hosts and --seed-hosts options to the client. Now if you use --auto-hosts (-H), the client will ask the server to spawn a hostwatcher to add names. That, in turn, will send names back to the server, which sends them back to the client, which sends them to the firewall subprocess, which will write them to /etc/hosts. Whew! Only the firewall process can write to /etc/hosts, of course, because only he's running as root. Since the name discovery process is kind of slow, we cache the names in ~/.sshuttle.hosts on the remote server. Right now, most of the names are discovered using nmblookup and smbclient, as well as by reading the existing entries in /etc/hosts. What would really be nice would be to query active directory or mdns somehow... but I don't really know how those work, so this is what you get for now :) It's pretty neat, at least.
2010-05-08 09:03:12 +02:00
# Now we wait until EOF or any other kind of exception. We need
# to stay running so that we don't need a *second* password
# authentication at shutdown time - that cleanup is important!
while 1:
line = sys.stdin.readline(128)
if line.startswith('HOST '):
(name,ip) = line[5:].strip().split(',', 1)
hostmap[name] = ip
rewrite_etc_hosts(port)
elif line:
raise Fatal('expected EOF, got %r' % line)
else:
break
iptables: more resilient startup/cleanup. Now the sudo iptables subprocess persists for the entire life of sshuttle. The benefits of this are: - no need to authenticate again at shutdown (failure of which could cause us to not clean up iptables) - if the main process dies unexpectedly, iptables still gets cleaned up - the password prompt can happen *before* starting the ssh/server process, which means it'll stand out and the password prompt won't be overwritten.
2010-05-03 01:29:03 +02:00
finally:
iptables: die quietly if parent process dies. If we can't communicate with the parent process, he's probably died unexpectedly; just shut down and don't bother people about it.
2010-05-03 03:01:30 +02:00
try:
Client "almost" works on MacOS and maybe FreeBSD. Basic forwarding now works on MacOS, assuming you set up ipfw correctly (ha ha). I wasted a few hours today trying to figure this out, and I'm *so very close*, but unfortunately it just didn't work. Think you can figure it out? Related changes: - don't die if iptables is unavailable - BSD uses getsockname() instead of SO_ORIGINAL_DST - non-blocking connect() returns EISCONN once it's connected - you can't setsockopt IP_TTL more than once
2010-05-05 00:24:43 +02:00
debug1('firewall manager: undoing changes.\n')
iptables: die quietly if parent process dies. If we can't communicate with the parent process, he's probably died unexpectedly; just shut down and don't bother people about it.
2010-05-03 03:01:30 +02:00
except:
pass
iptables: more resilient startup/cleanup. Now the sudo iptables subprocess persists for the entire life of sshuttle. The benefits of this are: - no need to authenticate again at shutdown (failure of which could cause us to not clean up iptables) - if the main process dies unexpectedly, iptables still gets cleaned up - the password prompt can happen *before* starting the ssh/server process, which means it'll stand out and the password prompt won't be overwritten.
2010-05-03 01:29:03 +02:00
do_it(port, [])
Added new --auto-hosts and --seed-hosts options to the client. Now if you use --auto-hosts (-H), the client will ask the server to spawn a hostwatcher to add names. That, in turn, will send names back to the server, which sends them back to the client, which sends them to the firewall subprocess, which will write them to /etc/hosts. Whew! Only the firewall process can write to /etc/hosts, of course, because only he's running as root. Since the name discovery process is kind of slow, we cache the names in ~/.sshuttle.hosts on the remote server. Right now, most of the names are discovered using nmblookup and smbclient, as well as by reading the existing entries in /etc/hosts. What would really be nice would be to query active directory or mdns somehow... but I don't really know how those work, so this is what you get for now :) It's pretty neat, at least.
2010-05-08 09:03:12 +02:00
restore_etc_hosts(port)
Reference in New Issue Copy Permalink