hmm sshuttle has an --exclude option, but that only has a link to the
"remote" subnets.
if you want to restrict locally, you might be able to achieve that by
sticking a deny rule in the beginning of the input chain for each
tunneled subnets (not sure whether you can do it before sshuttle
connects -- but it would ensure there's no open window)
I'm just dropping the idea of a rule that pops from the top of my head,
I haven't actually tested it, but the rule might look something like this:
iptables -I INPUT 1 -i wlan0 -d
10.10.10.0/24 -j REJECT --reject-with
icmp-net-unreachable
where
10.10.10.0/24 is the subnet you want to exclude for wlan0
--
Gabriel Filion