Correct Firewall configuration for sshuttle
775 views
Skip to first unread message
czenc...@gmail.com
Feb 6, 2013, 4:07:46 PM2/6/13
to sshu...@googlegroups.com
Hi.
I'm having difficulties finding research on iptables basic allowing
of sshuttle to operate.
Question;
If I allow 'only' (1) port out for ssh, will sshuttle manage to direct all
traffic through it ?
For example: using UFW default firewall settings...
Deny all incoming
Deny all outgoing
* Allow all outgoing on eth0 to (Target ssh server) 10.20.50.30 on port 2222 protocol tcp
Then, as root from (client 10.20.50.40)
$ sshuttle --dns -e "ssh -i /home/here/.ssh/id_rsa" -vv -r us...@10.20.50.30:2222
Questions;
1. Do I have to open the default port of 12300 ?
2. If the above is true, should I allow from 127.0.0.1 or client ip 10.20.50.40 to 12300 ?
Could someone please advise.
Thank you.
I'm having difficulties finding research on iptables basic allowing
of sshuttle to operate.
Question;
If I allow 'only' (1) port out for ssh, will sshuttle manage to direct all
traffic through it ?
For example: using UFW default firewall settings...
Deny all incoming
Deny all outgoing
* Allow all outgoing on eth0 to (Target ssh server) 10.20.50.30 on port 2222 protocol tcp
Then, as root from (client 10.20.50.40)
$ sshuttle --dns -e "ssh -i /home/here/.ssh/id_rsa" -vv -r us...@10.20.50.30:2222
Questions;
1. Do I have to open the default port of 12300 ?
2. If the above is true, should I allow from 127.0.0.1 or client ip 10.20.50.40 to 12300 ?
Could someone please advise.
Thank you.
Tony Godshall
Feb 6, 2013, 7:00:27 PM2/6/13
to czenc...@gmail.com, sshu...@googlegroups.com
Perhaps you could clarify your intent.
If your intent is to connect your local
machine to a far network the configuration
is much simpler than if you are wanting
to allow other machine on your local
network to access the remote network.
Also perhaps you could show the iptables
rules your current configuration is setting
up- the -v option your are using with
sshuttle would show those but you did
not post them.
Also you could indicate which firewall rules
you are concerned with- your local machine
rules or the rules of the remote machine
you are tunnelling to.
Also you could indicate whether it is your
intent to use the host are connecting to
as your route to the internet- I would guess
you are because you are using the --dns
option.
In many cases no adjustment to firewall
rules is necessary- hopefully the above
clarifications will help us understand why
you think you need such.
> --
> You received this message because you are subscribed to the Google Groups
> "sshuttle" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to sshuttle+u...@googlegroups.com.
> For more options, visit https://groups.google.com/groups/opt_out.
>
>
--
Best Regards.
This is unedited.
If your intent is to connect your local
machine to a far network the configuration
is much simpler than if you are wanting
to allow other machine on your local
network to access the remote network.
Also perhaps you could show the iptables
rules your current configuration is setting
up- the -v option your are using with
sshuttle would show those but you did
not post them.
Also you could indicate which firewall rules
you are concerned with- your local machine
rules or the rules of the remote machine
you are tunnelling to.
Also you could indicate whether it is your
intent to use the host are connecting to
as your route to the internet- I would guess
you are because you are using the --dns
option.
In many cases no adjustment to firewall
rules is necessary- hopefully the above
clarifications will help us understand why
you think you need such.
> You received this message because you are subscribed to the Google Groups
> "sshuttle" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to sshuttle+u...@googlegroups.com.
> For more options, visit https://groups.google.com/groups/opt_out.
>
>
--
Best Regards.
This is unedited.
Message has been deleted
Czent Czored
Feb 7, 2013, 7:09:00 AM2/7/13
to sshuttle
Hello.
I'm inquiring about the firewall rules on the client (local).
I'm inquiring about routing all traffic (0/0) to the remote.
With the default UFW firewall set as IN/OUT Denied,
using (1) single firewall rule to allow outbound tcp/udp traffic
to the remote machine... does 'not' allow sshuttle to function.
I'm able to ssh connect in the above configuration.
$ ssh -p 2222 -i /home/here/.ssh/id_rsa us...@10.20.50.30
sshuttle is doing this;
>> iptables -t nat -D OUTPUT -j sshuttle-12300
>> iptables -t nat -D PREROUTING -j sshuttle-12300
>> iptables -t nat -F sshuttle-12300
>> iptables -t nat -X sshuttle-12300
The following is a single outbound rule to allow all tcp/udp to host
10.20.50.30 on port 2222
----------------------
Start------------------------------------------------------
Chain INPUT (policy DROP)
target prot opt source destination
ufw-before-logging-input all -- 0.0.0.0/0
0.0.0.0/0
ufw-before-input all -- 0.0.0.0/0 0.0.0.0/0
ufw-after-input all -- 0.0.0.0/0 0.0.0.0/0
ufw-after-logging-input all -- 0.0.0.0/0
0.0.0.0/0
ufw-reject-input all -- 0.0.0.0/0 0.0.0.0/0
ufw-track-input all -- 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy DROP)
target prot opt source destination
ufw-before-logging-forward all -- 0.0.0.0/0
0.0.0.0/0
ufw-before-forward all -- 0.0.0.0/0 0.0.0.0/0
ufw-after-forward all -- 0.0.0.0/0 0.0.0.0/0
ufw-after-logging-forward all -- 0.0.0.0/0
0.0.0.0/0
ufw-reject-forward all -- 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy DROP)
target prot opt source destination
ufw-before-logging-output all -- 0.0.0.0/0
0.0.0.0/0
ufw-before-output all -- 0.0.0.0/0 0.0.0.0/0
ufw-after-output all -- 0.0.0.0/0 0.0.0.0/0
ufw-after-logging-output all -- 0.0.0.0/0
0.0.0.0/0
ufw-reject-output all -- 0.0.0.0/0 0.0.0.0/0
ufw-track-output all -- 0.0.0.0/0 0.0.0.0/0
Chain ufw-after-forward (1 references)
target prot opt source destination
Chain ufw-after-input (1 references)
target prot opt source destination
ufw-skip-to-policy-input udp -- 0.0.0.0/0
0.0.0.0/0 udp dpt:137
ufw-skip-to-policy-input udp -- 0.0.0.0/0
0.0.0.0/0 udp dpt:138
ufw-skip-to-policy-input tcp -- 0.0.0.0/0
0.0.0.0/0 tcp dpt:139
ufw-skip-to-policy-input tcp -- 0.0.0.0/0
0.0.0.0/0 tcp dpt:445
ufw-skip-to-policy-input udp -- 0.0.0.0/0
0.0.0.0/0 udp dpt:67
ufw-skip-to-policy-input udp -- 0.0.0.0/0
0.0.0.0/0 udp dpt:68
ufw-skip-to-policy-input all -- 0.0.0.0/0
0.0.0.0/0 ADDRTYPE match dst-type BROADCAST
Chain ufw-after-logging-forward (1 references)
target prot opt source destination
LOG all -- 0.0.0.0/0 0.0.0.0/0 limit:
avg 3/min burst 10 LOG flags 0 level 4 prefix "[UFW BLOCK] "
Chain ufw-after-logging-input (1 references)
target prot opt source destination
LOG all -- 0.0.0.0/0 0.0.0.0/0 limit:
avg 3/min burst 10 LOG flags 0 level 4 prefix "[UFW BLOCK] "
Chain ufw-after-logging-output (1 references)
target prot opt source destination
LOG all -- 0.0.0.0/0 0.0.0.0/0 limit:
avg 3/min burst 10 LOG flags 0 level 4 prefix "[UFW BLOCK] "
Chain ufw-after-output (1 references)
target prot opt source destination
Chain ufw-before-forward (1 references)
target prot opt source destination
ufw-user-forward all -- 0.0.0.0/0 0.0.0.0/0
Chain ufw-before-input (1 references)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state
RELATED,ESTABLISHED
ufw-logging-deny all -- 0.0.0.0/0 0.0.0.0/0
state INVALID
DROP all -- 0.0.0.0/0 0.0.0.0/0 state
INVALID
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmptype
3
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmptype
4
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmptype
11
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmptype
12
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmptype
8
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp spt:
67 dpt:68
ufw-not-local all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT udp -- 0.0.0.0/0 224.0.0.251 udp dpt:
5353
ACCEPT udp -- 0.0.0.0/0 239.255.255.250 udp dpt:
1900
ufw-user-input all -- 0.0.0.0/0 0.0.0.0/0
Chain ufw-before-logging-forward (1 references)
target prot opt source destination
LOG all -- 0.0.0.0/0 0.0.0.0/0 state
NEW limit: avg 3/min burst 10 LOG flags 0 level 4 prefix "[UFW AUDIT]
"
Chain ufw-before-logging-input (1 references)
target prot opt source destination
LOG all -- 0.0.0.0/0 0.0.0.0/0 state
NEW limit: avg 3/min burst 10 LOG flags 0 level 4 prefix "[UFW AUDIT]
"
Chain ufw-before-logging-output (1 references)
target prot opt source destination
LOG all -- 0.0.0.0/0 0.0.0.0/0 state
NEW limit: avg 3/min burst 10 LOG flags 0 level 4 prefix "[UFW AUDIT]
"
Chain ufw-before-output (1 references)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state
RELATED,ESTABLISHED
ufw-user-output all -- 0.0.0.0/0 0.0.0.0/0
Chain ufw-logging-allow (0 references)
target prot opt source destination
LOG all -- 0.0.0.0/0 0.0.0.0/0 limit:
avg 3/min burst 10 LOG flags 0 level 4 prefix "[UFW ALLOW] "
Chain ufw-logging-deny (2 references)
target prot opt source destination
LOG all -- 0.0.0.0/0 0.0.0.0/0 state
INVALID limit: avg 3/min burst 10 LOG flags 0 level 4 prefix "[UFW
AUDIT INVALID] "
LOG all -- 0.0.0.0/0 0.0.0.0/0 limit:
avg 3/min burst 10 LOG flags 0 level 4 prefix "[UFW BLOCK] "
Chain ufw-not-local (1 references)
target prot opt source destination
RETURN all -- 0.0.0.0/0 0.0.0.0/0 ADDRTYPE
match dst-type LOCAL
RETURN all -- 0.0.0.0/0 0.0.0.0/0 ADDRTYPE
match dst-type MULTICAST
RETURN all -- 0.0.0.0/0 0.0.0.0/0 ADDRTYPE
match dst-type BROADCAST
ufw-logging-deny all -- 0.0.0.0/0 0.0.0.0/0
limit: avg 3/min burst 10
DROP all -- 0.0.0.0/0 0.0.0.0/0
Chain ufw-reject-forward (1 references)
target prot opt source destination
Chain ufw-reject-input (1 references)
target prot opt source destination
Chain ufw-reject-output (1 references)
target prot opt source destination
Chain ufw-skip-to-policy-forward (0 references)
target prot opt source destination
DROP all -- 0.0.0.0/0 0.0.0.0/0
Chain ufw-skip-to-policy-input (7 references)
target prot opt source destination
DROP all -- 0.0.0.0/0 0.0.0.0/0
Chain ufw-skip-to-policy-output (0 references)
target prot opt source destination
DROP all -- 0.0.0.0/0 0.0.0.0/0
Chain ufw-track-input (1 references)
target prot opt source destination
Chain ufw-track-output (1 references)
target prot opt source destination
Chain ufw-user-forward (1 references)
target prot opt source destination
Chain ufw-user-input (1 references)
target prot opt source destination
Chain ufw-user-limit (0 references)
target prot opt source destination
LOG all -- 0.0.0.0/0 0.0.0.0/0 limit:
avg 3/min burst 5 LOG flags 0 level 4 prefix "[UFW LIMIT BLOCK] "
REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-
with icmp-port-unreachable
Chain ufw-user-limit-accept (0 references)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
Chain ufw-user-logging-forward (0 references)
target prot opt source destination
Chain ufw-user-logging-input (0 references)
target prot opt source destination
Chain ufw-user-logging-output (0 references)
target prot opt source destination
Chain ufw-user-output (1 references)
target prot opt source destination
ACCEPT tcp -- 0.0.0.0/0 10.20.50.30 tcp dpt:
2222
ACCEPT udp -- 0.0.0.0/0 10.20.50.30 udp dpt:
2222
I'm inquiring about the firewall rules on the client (local).
I'm inquiring about routing all traffic (0/0) to the remote.
With the default UFW firewall set as IN/OUT Denied,
using (1) single firewall rule to allow outbound tcp/udp traffic
to the remote machine... does 'not' allow sshuttle to function.
I'm able to ssh connect in the above configuration.
$ ssh -p 2222 -i /home/here/.ssh/id_rsa us...@10.20.50.30
sshuttle is doing this;
>> iptables -t nat -D OUTPUT -j sshuttle-12300
>> iptables -t nat -D PREROUTING -j sshuttle-12300
>> iptables -t nat -F sshuttle-12300
>> iptables -t nat -X sshuttle-12300
The following is a single outbound rule to allow all tcp/udp to host
10.20.50.30 on port 2222
----------------------
Start------------------------------------------------------
Chain INPUT (policy DROP)
target prot opt source destination
ufw-before-logging-input all -- 0.0.0.0/0
0.0.0.0/0
ufw-before-input all -- 0.0.0.0/0 0.0.0.0/0
ufw-after-input all -- 0.0.0.0/0 0.0.0.0/0
ufw-after-logging-input all -- 0.0.0.0/0
0.0.0.0/0
ufw-reject-input all -- 0.0.0.0/0 0.0.0.0/0
ufw-track-input all -- 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy DROP)
target prot opt source destination
ufw-before-logging-forward all -- 0.0.0.0/0
0.0.0.0/0
ufw-before-forward all -- 0.0.0.0/0 0.0.0.0/0
ufw-after-forward all -- 0.0.0.0/0 0.0.0.0/0
ufw-after-logging-forward all -- 0.0.0.0/0
0.0.0.0/0
ufw-reject-forward all -- 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy DROP)
target prot opt source destination
ufw-before-logging-output all -- 0.0.0.0/0
0.0.0.0/0
ufw-before-output all -- 0.0.0.0/0 0.0.0.0/0
ufw-after-output all -- 0.0.0.0/0 0.0.0.0/0
ufw-after-logging-output all -- 0.0.0.0/0
0.0.0.0/0
ufw-reject-output all -- 0.0.0.0/0 0.0.0.0/0
ufw-track-output all -- 0.0.0.0/0 0.0.0.0/0
Chain ufw-after-forward (1 references)
target prot opt source destination
Chain ufw-after-input (1 references)
target prot opt source destination
ufw-skip-to-policy-input udp -- 0.0.0.0/0
0.0.0.0/0 udp dpt:137
ufw-skip-to-policy-input udp -- 0.0.0.0/0
0.0.0.0/0 udp dpt:138
ufw-skip-to-policy-input tcp -- 0.0.0.0/0
0.0.0.0/0 tcp dpt:139
ufw-skip-to-policy-input tcp -- 0.0.0.0/0
0.0.0.0/0 tcp dpt:445
ufw-skip-to-policy-input udp -- 0.0.0.0/0
0.0.0.0/0 udp dpt:67
ufw-skip-to-policy-input udp -- 0.0.0.0/0
0.0.0.0/0 udp dpt:68
ufw-skip-to-policy-input all -- 0.0.0.0/0
0.0.0.0/0 ADDRTYPE match dst-type BROADCAST
Chain ufw-after-logging-forward (1 references)
target prot opt source destination
LOG all -- 0.0.0.0/0 0.0.0.0/0 limit:
avg 3/min burst 10 LOG flags 0 level 4 prefix "[UFW BLOCK] "
Chain ufw-after-logging-input (1 references)
target prot opt source destination
LOG all -- 0.0.0.0/0 0.0.0.0/0 limit:
avg 3/min burst 10 LOG flags 0 level 4 prefix "[UFW BLOCK] "
Chain ufw-after-logging-output (1 references)
target prot opt source destination
LOG all -- 0.0.0.0/0 0.0.0.0/0 limit:
avg 3/min burst 10 LOG flags 0 level 4 prefix "[UFW BLOCK] "
Chain ufw-after-output (1 references)
target prot opt source destination
Chain ufw-before-forward (1 references)
target prot opt source destination
ufw-user-forward all -- 0.0.0.0/0 0.0.0.0/0
Chain ufw-before-input (1 references)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state
RELATED,ESTABLISHED
ufw-logging-deny all -- 0.0.0.0/0 0.0.0.0/0
state INVALID
DROP all -- 0.0.0.0/0 0.0.0.0/0 state
INVALID
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmptype
3
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmptype
4
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmptype
11
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmptype
12
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmptype
8
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp spt:
67 dpt:68
ufw-not-local all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT udp -- 0.0.0.0/0 224.0.0.251 udp dpt:
5353
ACCEPT udp -- 0.0.0.0/0 239.255.255.250 udp dpt:
1900
ufw-user-input all -- 0.0.0.0/0 0.0.0.0/0
Chain ufw-before-logging-forward (1 references)
target prot opt source destination
LOG all -- 0.0.0.0/0 0.0.0.0/0 state
NEW limit: avg 3/min burst 10 LOG flags 0 level 4 prefix "[UFW AUDIT]
"
Chain ufw-before-logging-input (1 references)
target prot opt source destination
LOG all -- 0.0.0.0/0 0.0.0.0/0 state
NEW limit: avg 3/min burst 10 LOG flags 0 level 4 prefix "[UFW AUDIT]
"
Chain ufw-before-logging-output (1 references)
target prot opt source destination
LOG all -- 0.0.0.0/0 0.0.0.0/0 state
NEW limit: avg 3/min burst 10 LOG flags 0 level 4 prefix "[UFW AUDIT]
"
Chain ufw-before-output (1 references)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state
RELATED,ESTABLISHED
ufw-user-output all -- 0.0.0.0/0 0.0.0.0/0
Chain ufw-logging-allow (0 references)
target prot opt source destination
LOG all -- 0.0.0.0/0 0.0.0.0/0 limit:
avg 3/min burst 10 LOG flags 0 level 4 prefix "[UFW ALLOW] "
Chain ufw-logging-deny (2 references)
target prot opt source destination
LOG all -- 0.0.0.0/0 0.0.0.0/0 state
INVALID limit: avg 3/min burst 10 LOG flags 0 level 4 prefix "[UFW
AUDIT INVALID] "
LOG all -- 0.0.0.0/0 0.0.0.0/0 limit:
avg 3/min burst 10 LOG flags 0 level 4 prefix "[UFW BLOCK] "
Chain ufw-not-local (1 references)
target prot opt source destination
RETURN all -- 0.0.0.0/0 0.0.0.0/0 ADDRTYPE
match dst-type LOCAL
RETURN all -- 0.0.0.0/0 0.0.0.0/0 ADDRTYPE
match dst-type MULTICAST
RETURN all -- 0.0.0.0/0 0.0.0.0/0 ADDRTYPE
match dst-type BROADCAST
ufw-logging-deny all -- 0.0.0.0/0 0.0.0.0/0
limit: avg 3/min burst 10
DROP all -- 0.0.0.0/0 0.0.0.0/0
Chain ufw-reject-forward (1 references)
target prot opt source destination
Chain ufw-reject-input (1 references)
target prot opt source destination
Chain ufw-reject-output (1 references)
target prot opt source destination
Chain ufw-skip-to-policy-forward (0 references)
target prot opt source destination
DROP all -- 0.0.0.0/0 0.0.0.0/0
Chain ufw-skip-to-policy-input (7 references)
target prot opt source destination
DROP all -- 0.0.0.0/0 0.0.0.0/0
Chain ufw-skip-to-policy-output (0 references)
target prot opt source destination
DROP all -- 0.0.0.0/0 0.0.0.0/0
Chain ufw-track-input (1 references)
target prot opt source destination
Chain ufw-track-output (1 references)
target prot opt source destination
Chain ufw-user-forward (1 references)
target prot opt source destination
Chain ufw-user-input (1 references)
target prot opt source destination
Chain ufw-user-limit (0 references)
target prot opt source destination
LOG all -- 0.0.0.0/0 0.0.0.0/0 limit:
avg 3/min burst 5 LOG flags 0 level 4 prefix "[UFW LIMIT BLOCK] "
REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-
with icmp-port-unreachable
Chain ufw-user-limit-accept (0 references)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
Chain ufw-user-logging-forward (0 references)
target prot opt source destination
Chain ufw-user-logging-input (0 references)
target prot opt source destination
Chain ufw-user-logging-output (0 references)
target prot opt source destination
Chain ufw-user-output (1 references)
target prot opt source destination
ACCEPT tcp -- 0.0.0.0/0 10.20.50.30 tcp dpt:
2222
ACCEPT udp -- 0.0.0.0/0 10.20.50.30 udp dpt:
2222
Reply all
Reply to author
Forward
0 new messages