[Bug 916771] New: no traffic through sshuttle possible while SuSEfirewall2 is running
http://bugzilla.suse.com/show_bug.cgi?id=916771 Bug ID: 916771 Summary: no traffic through sshuttle possible while SuSEfirewall2 is running Classification: openSUSE Product: openSUSE 13.1 Version: Final Hardware: Other OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Network Assignee: bnc-team-screening@forge.provo.novell.com Reporter: wagner-thomas@gmx.at QA Contact: qa-bugs@suse.de Found By: --- Blocker: --- On openSUSE 13.1, I investigated sshuttle from the security repository and noticed that is doesn't work while SuSEfirewall2 is running with default settings. "Doesn't work" means: When sshuttle is started all network-traffic is blocked (can't ping, can't do nslookup) instead of tunneled. However, there is no sign in /var/log/messages or /var/log/firewall that SuSEfirewall2 would have blocked something. I used the following command line to start sshuttle as root sshuttle --dns -r user@ssh-tunnel-host 0.0.0.0/0 -v When doing a "rcSuSEfirwall2 stop" prior starting sshuttle, tunneling works fine. Now I wonder: Can the default setting of SuSEfirewall2 can be modified in order to let sshuttle do it's work? -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=916771
Chenzi Cao
http://bugzilla.suse.com/show_bug.cgi?id=916771
Marcus Meissner
http://bugzilla.suse.com/show_bug.cgi?id=916771
Thomas Wagner
what kind of network device does sshuttle create? Apparently, sshuttle does not create a network device. It just manipulates some NAT rules with iptables. Here is the log output of sshuttle's iptables (instead of X.X.X.X the IP of my ssh server appears):
iptables -t nat -N sshuttle-12300 iptables -t nat -F sshuttle-12300 iptables -t nat -I OUTPUT 1 -j sshuttle-12300 iptables -t nat -I PREROUTING 1 -j sshuttle-12300 iptables -t nat -A sshuttle-12300 -j RETURN --dest 127.0.0.0/8 -p tcp iptables -t nat -A sshuttle-12300 -j REDIRECT --dest 0.0.0.0/0 -p tcp --to-ports 12300 -m ttl ! --ttl 42 iptables -t nat -A sshuttle-12300 -j REDIRECT --dest X.X.X.X/32 -p udp --dport 53 --to-ports 12300 -m ttl ! --ttl 42
how does the network setup look afterwards? Sorry, I don't really understand that question. The network setup is simple. One client machine (tested with wlan and ethernet connection of my laptop and a KVM machine) and a ssh server (tested via NAT and on the local network).
-- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=916771
--- Comment #4 from Marcus Meissner
http://bugzilla.suse.com/show_bug.cgi?id=916771
http://bugzilla.suse.com/show_bug.cgi?id=916771#c5
Carl Thompson
http://bugzilla.suse.com/show_bug.cgi?id=916771
http://bugzilla.suse.com/show_bug.cgi?id=916771#c7
Marcus Meissner
http://bugzilla.suse.com/show_bug.cgi?id=916771
http://bugzilla.suse.com/show_bug.cgi?id=916771#c8
Matthias Gerstner
http://bugzilla.suse.com/show_bug.cgi?id=916771
Matthias Gerstner
http://bugzilla.suse.com/show_bug.cgi?id=916771
http://bugzilla.suse.com/show_bug.cgi?id=916771#c10
Matthias Gerstner
participants (1)
-
bugzilla_noreply@novell.com