Serving tunneled sshuttle traffic to an external LAN port

[Mike C]

Hi,

I have a (virtual) machine set up, with an ens3 interface providing connection to the internet (assigned a local IP 10.0.2.15 that successfully NATs out), and an additional ens4 interface that I'd like to set up so that an Ethernet cable connected to it (after proper IP configuration) will have its connections also appear to originate over the established tunnel.

I can confirm that sshuttle works just fine in terms of providing the local host's connectivity over the tunnel. Any curl commands (including DNS lookups) successfully traverse over the sshuttle connection. And so if I took the LAN port out of the picture, sshuttle is working fine as a means to tunnel outbound traffic (HTTP, DNS, etc) so that egress IP appears to be that of the remote host.

However, I've had considerable difficulty getting this to work, and I'm not sure where to start. I originally thought that "--listen 0.0.0.0" or "--listen 0.0.0.0:0" would be sufficient. However, after configuring ens4 as 10.250.0.1 and another connecting host as 10.250.0.x, I can confirm direct ping to 10.250.0.1 requests are met with a reply, so that 10.250.0.x and the sshuttle host (.1) are able to directly ping each other.

But, when I add a default route on the remote host to be 10.250.0.1 and I also enable all sysctl settings for IP forwarding on the sshuttle host, I would have expected that a ping from the external host to 1.1.1.1, say, would show a ping reply. However, listening over tcpdump it appears from the perspective of the sshuttle host that the ping packet is seen, but no reply is generated.

I would have thought this use case is built in, and I don't know if it is or not.

It's a case of one interface providing WAN and the other which I'd like to provide LAN access (static IP assignments instead of DHCP). I'd prefer for a configuration like this to work even from a base starting point like Finnix.

Could the community please point me in the right direction here? Is this use case defined? Will MASQUERADE, SNAT, REDIRECT, and other rules as needed be added to tables such as POSTROUTING and otherwise? I'd want to be able to plug in a host to that port, set up its IP as static, and then let its effective "internet" access be associated with the egress IP of the remote end of the tunnel connection.