Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add support for iproute2 #132

Merged
merged 3 commits into from Feb 10, 2017
Merged

Add support for iproute2 #132

merged 3 commits into from Feb 10, 2017

Conversation

vieira
Copy link
Contributor

@vieira vieira commented Feb 3, 2017

netstat has been deprecated for some time and some distros might
start shipping without it in the near future. This commit adds support
for ip route and uses it when available.

This should fix issues like the one reported in #131.

@vieira
Add support for iproute2
96c2dc5 
`netstat` has been deprecated for some time and some distros might
start shipping without it in the near future. This commit adds support
for `ip route` and uses it when available.
@vieira
Copy link
Contributor Author

vieira commented Feb 3, 2017

Any help with some real world testing would be very welcome while I fix the unit tests I broke. 😛

@brianmay brianmay merged commit 9a9015a into sshuttle:master Feb 10, 2017
@brianmay brianmay mentioned this pull request Feb 21, 2017
Closed
@andrewgdunn
Copy link

This very well is likely a lack of familiarity with the manual, but on Arch as @vieira said above netstat is no longer shipped by default. I'm seeing hostwatch: ['netstat', '-n'] failed: FileNotFoundError(2, "No such file or directory: 'netstat'") on all of my sessions now days.

@brianmay
Copy link
Member

@storrgie What version of sshuttle? This change should be in 0.78.3.

@andrewgdunn
Copy link 

[agd@clavain ~]$ sshuttle --version
0.78.3
[agd@clavain ~]$ uname -r
4.14.9-1-ARCH

It could be a mis-configuration on my end... here is my alias for getting into my 'home' through another arch box that I use as a simple proxyjump and sshuttle target:

alias sshuttle.home='sshuttle -v --dns --auto-hosts --remote=agd@<network>:<port> 172.16.0.0/24'

The client firewall:

*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:TCP - [0:0]
:UDP - [0:0]

-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m conntrack --ctstate INVALID -j DROP
-A INPUT -p icmp -m icmp --icmp-type 8 -m conntrack --ctstate NEW -j ACCEPT
-A INPUT -p udp -m conntrack --ctstate NEW -j UDP
-A INPUT -p tcp --tcp-flags FIN,SYN,RST,ACK SYN -m conntrack --ctstate NEW -j TCP
-A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable
-A INPUT -p tcp -j REJECT --reject-with tcp-reset
-A INPUT -j REJECT --reject-with icmp-proto-unreachable

COMMIT

which is a laptop with Gnome DE, NetwrokManager as the networking environment

The host that I'm hitting with sshuttle is headless with systemd-networkd handling network, here is the firewall (i also have mpd running on that host):

*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:TCP - [0:0]
:UDP - [0:0]

-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m conntrack --ctstate INVALID -j DROP
-A INPUT -p icmp -m icmp --icmp-type 8 -m conntrack --ctstate NEW -j ACCEPT
-A INPUT -p udp -m conntrack --ctstate NEW -j UDP
-A INPUT -p tcp --tcp-flags FIN,SYN,RST,ACK SYN -m conntrack --ctstate NEW -j TCP
-A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable
-A INPUT -p tcp -j REJECT --reject-with tcp-reset
-A INPUT -j REJECT --reject-with icmp-proto-unreachable

-A TCP -p tcp --dport 4252 -j ACCEPT
-A TCP -p tcp --dport 6600 -j ACCEPT

COMMIT

@andrewgdunn
Copy link

I also believe that this might be causing a problem with the --seed-hosts functionality:

[agd@clavain ~]$ sshuttle -v --dns --auto-hosts --remote=agd@<network>:<port> 172.16.0.0/24
Starting sshuttle proxy.
firewall manager: Starting firewall with Python version 3.6.4
firewall manager: ready method name nat.
IPv6 enabled: False
UDP enabled: False
DNS enabled: True
TCP redirector listening on ('127.0.0.1', 12300).
DNS listening on ('127.0.0.1', 12300).
Starting client with Python version 3.6.4
c : connecting to server...
Starting server with Python version 3.6.4
 s: latency control setting = True
 s: available routes:
 s:   2/172.16.0.0/24
c : Connected.
c : seed_hosts: []
firewall manager: setting up.
>> iptables -t nat -N sshuttle-12300
>> iptables -t nat -F sshuttle-12300
>> iptables -t nat -I OUTPUT 1 -j sshuttle-12300
>> iptables -t nat -I PREROUTING 1 -j sshuttle-12300
>> iptables -t nat -A sshuttle-12300 -j RETURN --dest 127.0.0.1/32 -p tcp
>> iptables -t nat -A sshuttle-12300 -j REDIRECT --dest 172.16.0.0/24 -p tcp --to-ports 12300 -m ttl ! --ttl 42
>> iptables -t nat -A sshuttle-12300 -j REDIRECT --dest 208.67.222.222/32 -p udp --dport 53 --to-ports 12300 -m ttl ! --ttl 42
>> iptables -t nat -A sshuttle-12300 -j REDIRECT --dest 208.67.220.220/32 -p udp --dport 53 --to-ports 12300 -m ttl ! --ttl 42
hostwatch: Starting hostwatch with Python version 3.6.4
hostwatch: Found: arbiter: 172.16.0.8
hostwatch: ['netstat', '-n'] failed: FileNotFoundError(2, "No such file or directory: 'netstat'")

[agd@clavain ~]$ sshuttle -v --dns --auto-hosts --seed-hosts arbiter --remote=agd@<network>:<port> 172.16.0.0/24
Starting sshuttle proxy.
firewall manager: Starting firewall with Python version 3.6.4
firewall manager: ready method name nat.
IPv6 enabled: False
UDP enabled: False
DNS enabled: True
TCP redirector listening on ('127.0.0.1', 12300).
DNS listening on ('127.0.0.1', 12300).
Starting client with Python version 3.6.4
c : connecting to server...
Starting server with Python version 3.6.4
 s: latency control setting = True
 s: available routes:
 s:   2/172.16.0.0/24
c : Connected.
c : seed_hosts: ['arbiter']
firewall manager: setting up.
>> iptables -t nat -N sshuttle-12300
>> iptables -t nat -F sshuttle-12300
>> iptables -t nat -I OUTPUT 1 -j sshuttle-12300
>> iptables -t nat -I PREROUTING 1 -j sshuttle-12300
>> iptables -t nat -A sshuttle-12300 -j RETURN --dest 127.0.0.1/32 -p tcp
>> iptables -t nat -A sshuttle-12300 -j REDIRECT --dest 172.16.0.0/24 -p tcp --to-ports 12300 -m ttl ! --ttl 42
>> iptables -t nat -A sshuttle-12300 -j REDIRECT --dest 208.67.222.222/32 -p udp --dport 53 --to-ports 12300 -m ttl ! --ttl 42
>> iptables -t nat -A sshuttle-12300 -j REDIRECT --dest 208.67.220.220/32 -p udp --dport 53 --to-ports 12300 -m ttl ! --ttl 42
hostwatch: Starting hostwatch with Python version 3.6.4
hostwatch: Traceback (most recent call last):
--->   File "sshuttle.server", line 144, in start_hostwatch
--->   File "sshuttle.hostwatch", line 268, in hw_main
--->   File "sshuttle.hostwatch", line 230, in check_host
--->   File "sshuttle.hostwatch", line 32, in _is_ip
--->   File "/usr/lib/python3.6/re.py", line 172, in match
--->     return _compile(pattern, flags).match(string)
---> TypeError: cannot use a string pattern on a bytes-like object
Traceback (most recent call last):
  File "<string>", line 1, in <module>
  File "assembler.py", line 37, in <module>
  File "sshuttle.server", line 376, in main
  File "sshuttle.ssnet", line 595, in runonce
  File "sshuttle.server", line 307, in hostwatch_ready
sshuttle.helpers.Fatal: hostwatch process died
>> iptables -t nat -D OUTPUT -j sshuttle-12300
>> iptables -t nat -D PREROUTING -j sshuttle-12300
>> iptables -t nat -F sshuttle-12300
>> iptables -t nat -X sshuttle-12300
c : fatal: server died with error code 1

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@vieira @andrewgdunn @brianmay