Tunnel traffic coming to one concrete interface

[treb...@gmail.com]

Hello,

how could I set sshuttle to tunnel only traffic coming to one concrete interface and not all the system's traffic?

I have 2 interfaces on my debian (eth0, wlan0). My box is configured as small router (man in the middle) forwarding eth0 (internal network - 192.168.3.X) to wlan0 (internet connection).

I would like to have tunneled only traffic coming to eth0 (clients with internal IP 192.168.3.X) and leave wlan0 untouched.

Any ideas how to achieve that?

[Gabriel Filion]

hmm sshuttle has an --exclude option, but that only has a link to the
"remote" subnets.

if you want to restrict locally, you might be able to achieve that by
sticking a deny rule in the beginning of the input chain for each
tunneled subnets (not sure whether you can do it before sshuttle
connects -- but it would ensure there's no open window)

I'm just dropping the idea of a rule that pops from the top of my head,
I haven't actually tested it, but the rule might look something like this:

iptables -I INPUT 1 -i wlan0 -d 10.10.10.0/24 -j REJECT --reject-with
icmp-net-unreachable

where 10.10.10.0/24 is the subnet you want to exclude for wlan0

--
Gabriel Filion

[drew.w...@gmail.com]

Could this be used to prevent tunneling traffic coming from a docker container? I want the container to bypass sshuttle running on the host.