I'm running a router on my x86 laptop. Kernel ip forwarding is enabled along with the following ip tables rules added after boot:
- /sbin/iptables -t nat -A POSTROUTING -o ${WAN_IFACE} -j MASQUERADE
- /sbin/iptables -A FORWARD -i ${WAN_IFACE} -o ${LOCAL_IFACE} -m state --state RELATED,ESTABLISHED -j ACCEPT
- /sbin/iptables -A FORWARD -i ${LOCAL_IFACE} -o ${WAN_IFACE} -j ACCEPT
This seems to do the job for NATting all my hosts connected to the ${LOCAL_IFACE} because their default gateways are the ${LOCAL_IFACE} ip address of the router laptop.
I'm running the sshutle client on this x86 router laptop. wget requests executed locally on the router destined for the
10.0.0.0/24 subnet work. However, requests originating on hosts on my
${LOCAL_IFACE} seem to be unroutable. You've stated pretty emphatically in the docs that sshuttle should work for all hosts on my LAN when executed on a router, so I'm a bit stumped here. My knowledge of iptables isn't strong enough to debug this on my own.
routing table on router:
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 10.0.1.1 0.0.0.0 UG 600 0 0 ${WAN_IFACE}
10.0.1.0 0.0.0.0 255.255.255.0 U 600 0 0 ${WAN_IFACE}
10.10.240.0 0.0.0.0 255.255.240.0 U 100 0 0 ${LOCAL_IFACE}
Output from command executed on x86 router laptop: sshuttle --method=nat -vr us...@ssh.server 10.0.0.0/24 >> iptables -t nat -N sshuttle-12300
>> iptables -t nat -F sshuttle-12300
>> iptables -t nat -I OUTPUT 1 -j sshuttle-12300
>> iptables -t nat -I PREROUTING 1 -j sshuttle-12300
>> iptables -t nat -A sshuttle-12300 -j RETURN --dest 127.0.0.1/32 -p tcp
>> iptables -t nat -A sshuttle-12300 -j REDIRECT --dest 10.0.0.0/24 -p tcp --to-ports 12300 -m ttl ! --ttl 42
If relevant, it's worth noting that the default TTL on my router for pings is 56 instead of 42.
Any help is greatly appreciated.
Thanks.