MCPcopy Index your code
hub / github.com/sshuttle/sshuttle / setup_firewall

Method setup_firewall

sshuttle/methods/tproxy.py:116–229  ·  view source on GitHub ↗
(self, port, dnsport, nslist, family, subnets, udp,
                       user, group, tmark)

Source from the content-addressed store, hash-verified

114 udp_listener.v6.setsockopt(SOL_IPV6, IPV6_RECVORIGDSTADDR, 1)
115
116 def setup_firewall(self, port, dnsport, nslist, family, subnets, udp,
117 user, group, tmark):
118 if family not in [socket.AF_INET, socket.AF_INET6]:
119 raise Exception(
120 'Address family "%s" unsupported by tproxy method'
121 % family_to_string(family))
122
123 table = "mangle"
124
125 def _ipt(*args):
126 return ipt(family, table, *args)
127
128 def _ipt_proto_ports(proto, fport, lport):
129 return proto + ('--dport', '%d:%d' % (fport, lport)) \
130 if fport else proto
131
132 mark_chain = 'sshuttle-m-%s' % port
133 tproxy_chain = 'sshuttle-t-%s' % port
134 divert_chain = 'sshuttle-d-%s' % port
135
136 # basic cleanup/setup of chains
137 self.restore_firewall(port, family, udp, user, group)
138
139 _ipt('-N', mark_chain)
140 _ipt('-F', mark_chain)
141 _ipt('-N', divert_chain)
142 _ipt('-F', divert_chain)
143 _ipt('-N', tproxy_chain)
144 _ipt('-F', tproxy_chain)
145 _ipt('-I', 'OUTPUT', '1', '-j', mark_chain)
146 _ipt('-I', 'PREROUTING', '1', '-j', tproxy_chain)
147
148 for _, ip in [i for i in nslist if i[0] == family]:
149 _ipt('-A', mark_chain, '-j', 'MARK', '--set-mark', tmark,
150 '--dest', '%s/32' % ip,
151 '-m', 'udp', '-p', 'udp', '--dport', '53')
152 _ipt('-A', tproxy_chain, '-j', 'TPROXY',
153 '--tproxy-mark', tmark,
154 '--dest', '%s/32' % ip,
155 '-m', 'udp', '-p', 'udp', '--dport', '53',
156 '--on-port', str(dnsport))
157
158 # Don't have packets sent to any of our local IP addresses go
159 # through the tproxy or mark chains (except DNS ones).
160 #
161 # Without this fix, if a large subnet is redirected through
162 # sshuttle (i.e., 0/0), then the user may be unable to receive
163 # UDP responses or connect to their own machine using an IP
164 # besides (127.0.0.1). Prior to including these lines, the
165 # documentation reminded the user to use -x to exclude their
166 # own IP addresses to receive UDP responses if they are
167 # redirecting a large subnet through sshuttle (i.e., 0/0).
168 _ipt('-A', tproxy_chain, '-j', 'RETURN', '-m', 'addrtype',
169 '--dst-type', 'LOCAL')
170 _ipt('-A', mark_chain, '-j', 'RETURN', '-m', 'addrtype',
171 '--dst-type', 'LOCAL')
172
173 _ipt('-A', divert_chain, '-j', 'MARK', '--set-mark', tmark)

Callers

nothing calls this directly

Calls 2

restore_firewallMethod · 0.95
family_to_stringFunction · 0.90

Tested by

no test coverage detected