Date: Tue, 9 Sep 2014 19:33:05 +1000 (EST) From: Ian Smith <smithi@nimnet.asn.au> To: John Case <case@SDF.ORG> Cc: freebsd-net@freebsd.org, John Nielsen <lists@jnielsen.net> Subject: Re: How can sshuttle be used properly with FreeBSD (and with DNS) ? Message-ID: <20140909183722.R58647@sola.nimnet.asn.au> In-Reply-To: <Pine.NEB.4.64.1409060233080.2500@faeroes.freeshell.org> References: <Pine.NEB.4.64.1409060233080.2500@faeroes.freeshell.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sat, 6 Sep 2014 02:52:22 +0000, John Case wrote: > I would like to use sshuttle (http://github.com/apenwarr/sshuttle) on > FreeBSD. > > I have it working for TCP connections, but it does not properly tunnel DNS > requests. The documentation for sshuttle says that ipfw forward rules will > not properly forward UDP packets, and so when it runs on FreeBSD, sshuttle > inserts divert rules instead. The project author believes that this will > work properly (inserting divert rules to tunnel UDP) but I am not having any > success. Forward doesn't update headers, likely why it's of no use to sshuttle. > BUT, I already have a divert rule (and natd running) on this system even > before I run sshuttle at all - because the system won't function as a normal > gateway unless I use divert/natd. I prefer to run a gateway without > divert/natd, but since both sides of this gateway are non-routable IPs, I > cannot do that - in order to function as a gateway with 10.x.x.x networks on > both sides, I need to run natd/divert. Or as John pointed out in your other thread, you may find it easier to use ipfw nat (in-kernel nat) instead, though sshuttle may be hard-wired to use natd. Either way, you need separate NAT instances for each task. As sshuttle needs to use divert sockets in particular, is the divert port used able to be specified? Or does it insist on using the default port natd (8668/divert)? If so, you need to use another port for your regular NAT and 8668 for sshuttle; anyway, two different ports, or you could even use natd for sshuttle and ipfw nat for regular translation. > So that means that when sshuttle inserts its own divert rules, they conflict > with the existing ones, and I am not running a second natd daemon, so I think > it all just falls apart. See natd(8) section 'MULTIPLE INSTANCES' for a well-doicumented example. And/or check ipfw(8) section 'NETWORK ADDRESS TRANSLATION (NAT)' and in the examples, 'NAT, REDIRECT AND LSNAT'. > How can this be fixed ? > > Is anyone out there using sshuttle on FreeBSD with the --dns switch ? Nope. > Here is what my ipfw.conf looks like BEFORE I run sshuttle: > > > add 1000 divert natd ip from any to any in via xl0 > add 2000 divert natd ip from any to any out via xl0 Another potential issue here; 'out via xl0' may be ambiguous, in that traffic going 'out' to anywhere, on any interface, that originally came 'in' on xl0 also matches 'out via xl0'. Unambiguous would be: add 1000 divert natd ip from any to any in recv xl0 add 2000 divert natd ip from any to any out xmit xl0 though you can save natd (or ipfw nat) some work/time if you restrict outbound nat to packets that may qualify, perhaps 'from any to any out xmit xl0 recv xl1' in the case of your regular NATting of inside net traffic, assuming xl1 to be your inside interface. 'natd' in the rules above is just the port name from /etc/services; you can use any unused port number for each (or another) instance, as per natd(8)'s multiple instances example. > and in rc.conf: > > > gateway_enable="yes" > natd_enable="yes" > natd_interface="xl0" > > > Again, this works fine - I have a functioning internet gateway and both of > the interfaces on it have non-routable IP address. > > Then I run sshuttle and it *also* works fine - but only for TCP. It does not > tunnel UDP (dns) properly like it is supposed to, and I think the reason is > that I already have diverting/natd going on and then I run sshuttle and it > inserts another two divert rules into ipfw. > > But I am not sure wha the fix would be ... Just make sure that both NAT instances use separate ports and rules. To see it in action, to confirm both regular NAT and the sshuttle UDP diversion are working correctly, run tcpdump in a couple of consoles. cheers, Ian
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20140909183722.R58647>