mirror of
https://github.com/sshuttle/sshuttle.git
synced 2024-11-25 01:13:37 +01:00
tproxy: Skip firewall chains if packets have local destination. (#578)
If you use the tproxy method with a large subnet (such as 0/0), then (1) you may not receive UDP packets that sshuttle/tproxy can handle and (2) you are unable to connect to your machine using an IP that your computer recognizes as its own. To resolve those issues, any traffic to an IP that the host knows is local, does not go through the sshuttle chains.
This commit is contained in:
parent
b7730fc106
commit
97c25e988e
@ -25,11 +25,6 @@ There are some things you need to consider for TPROXY to work:
|
|||||||
Otherwise sshuttle may attempt to intercept the ssh packets, which will not
|
Otherwise sshuttle may attempt to intercept the ssh packets, which will not
|
||||||
work. Use the ``--exclude`` parameter for this.
|
work. Use the ``--exclude`` parameter for this.
|
||||||
|
|
||||||
- Similarly, UDP return packets (including DNS) could get intercepted and
|
|
||||||
bounced back. This is the case if you have a broad subnet such as
|
|
||||||
``0.0.0.0/0`` or ``::/0`` that includes the IP address of the client. Use the
|
|
||||||
``--exclude`` parameter for this.
|
|
||||||
|
|
||||||
- You need the ``--method=tproxy`` parameter, as above.
|
- You need the ``--method=tproxy`` parameter, as above.
|
||||||
|
|
||||||
- The routes for the outgoing packets must already exist. For example, if your
|
- The routes for the outgoing packets must already exist. For example, if your
|
||||||
|
@ -194,6 +194,22 @@ class Method(BaseMethod):
|
|||||||
_ipt('-F', tproxy_chain)
|
_ipt('-F', tproxy_chain)
|
||||||
_ipt('-I', 'OUTPUT', tmark, '-j', mark_chain)
|
_ipt('-I', 'OUTPUT', tmark, '-j', mark_chain)
|
||||||
_ipt('-I', 'PREROUTING', tmark, '-j', tproxy_chain)
|
_ipt('-I', 'PREROUTING', tmark, '-j', tproxy_chain)
|
||||||
|
|
||||||
|
# Don't have packets sent to any of our local IP addresses go
|
||||||
|
# through the tproxy or mark chains.
|
||||||
|
#
|
||||||
|
# Without this fix, if a large subnet is redirected through
|
||||||
|
# sshuttle (i.e., 0/0), then the user may be unable to receive
|
||||||
|
# UDP responses or connect to their own machine using an IP
|
||||||
|
# besides (127.0.0.1). Prior to including these lines, the
|
||||||
|
# documentation reminded the user to use -x to exclude their
|
||||||
|
# own IP addresses to receive UDP responses if they are
|
||||||
|
# redirecting a large subnet through sshuttle (i.e., 0/0).
|
||||||
|
_ipt('-A', tproxy_chain, '-j', 'RETURN', '-m', 'addrtype',
|
||||||
|
'--dst-type', 'LOCAL')
|
||||||
|
_ipt('-A', mark_chain, '-j', 'RETURN', '-m', 'addrtype',
|
||||||
|
'--dst-type', 'LOCAL')
|
||||||
|
|
||||||
_ipt('-A', divert_chain, '-j', 'MARK', '--set-mark', tmark)
|
_ipt('-A', divert_chain, '-j', 'MARK', '--set-mark', tmark)
|
||||||
_ipt('-A', divert_chain, '-j', 'ACCEPT')
|
_ipt('-A', divert_chain, '-j', 'ACCEPT')
|
||||||
_ipt('-A', tproxy_chain, '-m', 'socket', '-j', divert_chain,
|
_ipt('-A', tproxy_chain, '-m', 'socket', '-j', divert_chain,
|
||||||
|
@ -133,6 +133,10 @@ def test_setup_firewall(mock_ipt_chain_exists, mock_ipt_ttl, mock_ipt):
|
|||||||
call(AF_INET6, 'mangle', '-I', 'OUTPUT', '1', '-j', 'sshuttle-m-1024'),
|
call(AF_INET6, 'mangle', '-I', 'OUTPUT', '1', '-j', 'sshuttle-m-1024'),
|
||||||
call(AF_INET6, 'mangle', '-I', 'PREROUTING', '1', '-j',
|
call(AF_INET6, 'mangle', '-I', 'PREROUTING', '1', '-j',
|
||||||
'sshuttle-t-1024'),
|
'sshuttle-t-1024'),
|
||||||
|
call(AF_INET6, 'mangle', '-A', 'sshuttle-t-1024', '-j', 'RETURN',
|
||||||
|
'-m', 'addrtype', '--dst-type', 'LOCAL'),
|
||||||
|
call(AF_INET6, 'mangle', '-A', 'sshuttle-m-1024', '-j', 'RETURN',
|
||||||
|
'-m', 'addrtype', '--dst-type', 'LOCAL'),
|
||||||
call(AF_INET6, 'mangle', '-A', 'sshuttle-d-1024', '-j', 'MARK',
|
call(AF_INET6, 'mangle', '-A', 'sshuttle-d-1024', '-j', 'MARK',
|
||||||
'--set-mark', '1'),
|
'--set-mark', '1'),
|
||||||
call(AF_INET6, 'mangle', '-A', 'sshuttle-d-1024', '-j', 'ACCEPT'),
|
call(AF_INET6, 'mangle', '-A', 'sshuttle-d-1024', '-j', 'ACCEPT'),
|
||||||
@ -233,6 +237,10 @@ def test_setup_firewall(mock_ipt_chain_exists, mock_ipt_ttl, mock_ipt):
|
|||||||
call(AF_INET, 'mangle', '-I', 'OUTPUT', '1', '-j', 'sshuttle-m-1025'),
|
call(AF_INET, 'mangle', '-I', 'OUTPUT', '1', '-j', 'sshuttle-m-1025'),
|
||||||
call(AF_INET, 'mangle', '-I', 'PREROUTING', '1', '-j',
|
call(AF_INET, 'mangle', '-I', 'PREROUTING', '1', '-j',
|
||||||
'sshuttle-t-1025'),
|
'sshuttle-t-1025'),
|
||||||
|
call(AF_INET, 'mangle', '-A', 'sshuttle-t-1025', '-j', 'RETURN',
|
||||||
|
'-m', 'addrtype', '--dst-type', 'LOCAL'),
|
||||||
|
call(AF_INET, 'mangle', '-A', 'sshuttle-m-1025', '-j', 'RETURN',
|
||||||
|
'-m', 'addrtype', '--dst-type', 'LOCAL'),
|
||||||
call(AF_INET, 'mangle', '-A', 'sshuttle-d-1025',
|
call(AF_INET, 'mangle', '-A', 'sshuttle-d-1025',
|
||||||
'-j', 'MARK', '--set-mark', '1'),
|
'-j', 'MARK', '--set-mark', '1'),
|
||||||
call(AF_INET, 'mangle', '-A', 'sshuttle-d-1025', '-j', 'ACCEPT'),
|
call(AF_INET, 'mangle', '-A', 'sshuttle-d-1025', '-j', 'ACCEPT'),
|
||||||
|
Loading…
Reference in New Issue
Block a user