UDP and IPv6 is supported in my tproxy branch.
https://github.com/brianmay/sshuttle/tree/tproxy
There are some requirements on the client end (these don't apply on the server):
* you do need a recent version of iptables (git version unless there
has been a recent release) and a recvmsg function binding (either by
patching Python or with PyXAPI-0.1 API. I have plans to get this added
to Python, but probably won't get in 2.x versions.
If there was serious interest, I could also upload my patched python
2.7 Ubuntu packages, compiled against natty to an Ubuntu PPA.
* For full support also do need to type in the following commands,
once only, as root, manually (top two are IPv4 only bottom two are
IPv6 only):
ip route add local default dev lo table 100
ip rule add fwmark 1 lookup 100
ip -6 route add local default dev lo table 100
ip -6 rule add fwmark 1 lookup 100
* sshuttle needs to be started as root. I use:
sudo SSH_AUTH_SOCK="$SSH_AUTH_SOCK"
$HOME/tree/sshuttle.tproxy/sshuttle --method=tproxy $OTHERPARAMS
This means ssh can access my ssh-agent socket.
> Would "naive" UDP be hard to add? As I said, for my SNMP needs,
> performance is not a concern. In the thread "UDP Support", on Aug 21
> 2010, 10:02 am, after describing why artificially making UDP-over-TCP
> reliable can be dangerous, Avery Pennarun <apenw...@gmail.com>
> wrote[2]:
The one issue I have had it sshuttle has no way of knowing when to
"close" the UDP connection, because UDP is stateless. So my current
implementation is hard coded to close it after it is idle for 30
seconds. Should be fine for DNS, WINS, and SNMP.
--
Brian May <br...@microcomaustralia.com.au>
Looks like a bug in my code.
It looks like "sock.family" needs to be replaced with just "family" on
line 384 of client.py.
Will test this out myself and upload a fix. Thanks for the report.
--
Brian May <br...@microcomaustralia.com.au>
As it happened, there were several more bugs in the UDP code. Have
fixed them, and pushed my changes to my repository.
It now works with both versions of the recvmsg function for DNS traffic.
Thanks again.
--
Brian May <br...@microcomaustralia.com.au>
I seem to remember something about the tproxy stuff requiring a
relatively new kernel. Debian lenny uses 2.6.26, and is that the
problem? What is the minimum?
That is just a bit weird, because it implies that the sshuttle-d-12300
table isn't created at the time.
However it is created (and flushed) several lines above that line that
failed. In the same if block in fact.
Can you please rerun with -vvv and post the results here? Also "sudo
iptables -L -t mangle -n" will show if that table really exists or
not.
Thanks
--
Brian May <br...@microcomaustralia.com.au>
Can you please rerun with -vvv and post the results here? Also "sudo
iptables -L -t mangle -n" will show if that table really exists or
not.
>> iptables -t mangle -A sshuttle-t-12300 -m socket -j sshuttle-d-12300 -m tcp -p tcpiptables: No chain/target/match by that name.
Could you also post your kernel configuration?