Can't get tcp sessions to route via sshuttle on my "router"
283 views
Skip to first unread message
anujgu...@gmail.com
Nov 30, 2018, 2:45:59 AM11/30/18
to sshuttle
I'm running a router on my x86 laptop. Kernel ip forwarding is enabled along with the following ip tables rules added after boot:
- /sbin/iptables -t nat -A POSTROUTING -o ${WAN_IFACE} -j MASQUERADE
- /sbin/iptables -A FORWARD -i ${WAN_IFACE} -o ${LOCAL_IFACE} -m state --state RELATED,ESTABLISHED -j ACCEPT
- /sbin/iptables -A FORWARD -i ${LOCAL_IFACE} -o ${WAN_IFACE} -j ACCEPT
This seems to do the job for NATting all my hosts connected to the ${LOCAL_IFACE} because their default gateways are the ${LOCAL_IFACE} ip address of the router laptop.
I'm running the sshutle client on this x86 router laptop. wget requests executed locally on the router destined for the 10.0.0.0/24 subnet work. However, requests originating on hosts on my ${LOCAL_IFACE} seem to be unroutable. You've stated pretty emphatically in the docs that sshuttle should work for all hosts on my LAN when executed on a router, so I'm a bit stumped here. My knowledge of iptables isn't strong enough to debug this on my own.
routing table on router:
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 10.0.1.1 0.0.0.0 UG 600 0 0 ${WAN_IFACE}
10.0.1.0 0.0.0.0 255.255.255.0 U 600 0 0 ${WAN_IFACE}
10.10.240.0 0.0.0.0 255.255.240.0 U 100 0 0 ${LOCAL_IFACE}
10.10.240.0 0.0.0.0 255.255.240.0 U 100 0 0 ${LOCAL_IFACE}
Output from command executed on x86 router laptop: sshuttle --method=nat -vr us...@ssh.server 10.0.0.0/24
>> iptables -t nat -N sshuttle-12300
>> iptables -t nat -F sshuttle-12300
>> iptables -t nat -I OUTPUT 1 -j sshuttle-12300
>> iptables -t nat -I PREROUTING 1 -j sshuttle-12300
>> iptables -t nat -A sshuttle-12300 -j RETURN --dest 127.0.0.1/32 -p tcp
>> iptables -t nat -A sshuttle-12300 -j REDIRECT --dest 10.0.0.0/24 -p tcp --to-ports 12300 -m ttl ! --ttl 42
>> iptables -t nat -F sshuttle-12300
>> iptables -t nat -I OUTPUT 1 -j sshuttle-12300
>> iptables -t nat -I PREROUTING 1 -j sshuttle-12300
>> iptables -t nat -A sshuttle-12300 -j RETURN --dest 127.0.0.1/32 -p tcp
>> iptables -t nat -A sshuttle-12300 -j REDIRECT --dest 10.0.0.0/24 -p tcp --to-ports 12300 -m ttl ! --ttl 42
If relevant, it's worth noting that the default TTL on my router for pings is 56 instead of 42.
Any help is greatly appreciated.
Thanks.
Message has been deleted
anujgu...@gmail.com
Nov 30, 2018, 3:00:16 AM11/30/18
to sshuttle
I've trying to figure this out for over an hour and yet posting this somehow gave me clarity, lol. Added the --listen 0.0.0.0
option worked as stated in the docs. Maybe add this tidbit after the
sentence that suggests the sshuttle command should work as is on
routers? It could save another idiot like me a lot of time. Thanks for
this awesome little utility! Gonna have to spend some time
understanding the nuances between iptables-based TCP (L4) redirection
and kernel-based IP (L3) routing.
Reply all
Reply to author
Forward
0 new messages