[Bug 916771] New: no traffic through sshuttle possible while SuSEfirewall2 is running
http://bugzilla.suse.com/show_bug.cgi?id=916771 Bug ID: 916771 Summary: no traffic through sshuttle possible while SuSEfirewall2 is running Classification: openSUSE Product: openSUSE 13.1 Version: Final Hardware: Other OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Network Assignee: bnc-team-screening@forge.provo.novell.com Reporter: wagner-thomas@gmx.at QA Contact: qa-bugs@suse.de Found By: --- Blocker: --- On openSUSE 13.1, I investigated sshuttle from the security repository and noticed that is doesn't work while SuSEfirewall2 is running with default settings. "Doesn't work" means: When sshuttle is started all network-traffic is blocked (can't ping, can't do nslookup) instead of tunneled. However, there is no sign in /var/log/messages or /var/log/firewall that SuSEfirewall2 would have blocked something. I used the following command line to start sshuttle as root sshuttle --dns -r user@ssh-tunnel-host 0.0.0.0/0 -v When doing a "rcSuSEfirwall2 stop" prior starting sshuttle, tunneling works fine. Now I wonder: Can the default setting of SuSEfirewall2 can be modified in order to let sshuttle do it's work? -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=916771 Chenzi Cao <chcao@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |chcao@suse.com Assignee|bnc-team-screening@forge.pr |meissner@suse.com |ovo.novell.com | --- Comment #1 from Chenzi Cao <chcao@suse.com> --- Hi Marcus, would you please kindly help to have a look at here? I'm not quite sure whether it is right to assign it to you, please feel free to reassign whenever necessary, thank you! -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=916771 Marcus Meissner <meissner@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |wagner-thomas@gmx.at Flags| |needinfo?(wagner-thomas@gmx | |.at) --- Comment #2 from Marcus Meissner <meissner@suse.com> --- what kind of network device does sshuttle create? how does the network setup look afterwards? -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=916771 Thomas Wagner <wagner-thomas@gmx.at> changed: What |Removed |Added ---------------------------------------------------------------------------- Flags|needinfo?(wagner-thomas@gmx | |.at) | --- Comment #3 from Thomas Wagner <wagner-thomas@gmx.at> --- (In reply to Marcus Meissner from comment #2)
what kind of network device does sshuttle create? Apparently, sshuttle does not create a network device. It just manipulates some NAT rules with iptables. Here is the log output of sshuttle's iptables (instead of X.X.X.X the IP of my ssh server appears):
iptables -t nat -N sshuttle-12300 iptables -t nat -F sshuttle-12300 iptables -t nat -I OUTPUT 1 -j sshuttle-12300 iptables -t nat -I PREROUTING 1 -j sshuttle-12300 iptables -t nat -A sshuttle-12300 -j RETURN --dest 127.0.0.0/8 -p tcp iptables -t nat -A sshuttle-12300 -j REDIRECT --dest 0.0.0.0/0 -p tcp --to-ports 12300 -m ttl ! --ttl 42 iptables -t nat -A sshuttle-12300 -j REDIRECT --dest X.X.X.X/32 -p udp --dport 53 --to-ports 12300 -m ttl ! --ttl 42
how does the network setup look afterwards? Sorry, I don't really understand that question. The network setup is simple. One client machine (tested with wlan and ethernet connection of my laptop and a KVM machine) and a ssh server (tested via NAT and on the local network).
-- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=916771 --- Comment #4 from Marcus Meissner <meissner@suse.com> --- well, it fiddles with iptables, and this likely interacts badly with the iptables rules generated by SuSEfirewall2. you can hook custom rules to SUSEfirewall2 via /etc/sysconfig/SuSEfirewall2 #FW_CUSTOMRULES="/etc/sysconfig/scripts/SuSEfirewall2-custom" FW_CUSTOMRULES="" but this will probably be tricky with above NAT rules. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=916771 http://bugzilla.suse.com/show_bug.cgi?id=916771#c5 Carl Thompson <x-suse@carlthompson.net> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |x-suse@carlthompson.net --- Comment #5 from Carl Thompson <x-suse@carlthompson.net> --- The problem is the FW_LO_NOTRACK option turned on by default in the openSUSE firewall. From the description: "Install NOTRACK target for interface lo in the raw table. Doing so speeds up packet processing on the loopback interface. This breaks certain firewall setups that need to e.g. redirect outgoing packets via custom rules on the local machine." This option breaks sshuttle. To fix it, edit the /etc/sysconfig/SuSEfirewall2 file and change the line with FW_LO_NOTRACK to FW_LO_NOTRACK="no" Save the file, restart the firewall or reboot and sshuttle will work from then on. Personally, I believe this feature of the firewall should NOT be turned on by default. The default should always be the correct / expected behavior and circumventing correct behavior for a performance boost should be opt-in, not opt-out. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=916771 http://bugzilla.suse.com/show_bug.cgi?id=916771#c7 Marcus Meissner <meissner@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |meissner@suse.com Assignee|meissner@suse.com |matthias.gerstner@suse.com --- Comment #7 from Marcus Meissner <meissner@suse.com> --- reassign to new maintainer -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=916771 http://bugzilla.suse.com/show_bug.cgi?id=916771#c8 Matthias Gerstner <matthias.gerstner@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |CONFIRMED --- Comment #8 from Matthias Gerstner <matthias.gerstner@suse.com> --- New firewall maintainer here. I'm working on the backlog bugs. I understand the original issue has been solved via configuration of FW_LO_NOTRACK="no". I agree that this kind of optimization should not be the default. I will consider this for future updates of SuSEfirewall2. Keeping this ticket open to keep track of that. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=916771 Matthias Gerstner <matthias.gerstner@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|CONFIRMED |IN_PROGRESS -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=916771 http://bugzilla.suse.com/show_bug.cgi?id=916771#c10 Matthias Gerstner <matthias.gerstner@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|IN_PROGRESS |RESOLVED Resolution|--- |FIXED --- Comment #10 from Matthias Gerstner <matthias.gerstner@suse.com> --- I've changed the default for this to "no" for openSUSE:Factory and SLE-12-SP3. Submissions have been accepted by now, so I'm closing the ticket. -- You are receiving this mail because: You are on the CC list for the bug.
participants (1)
-
bugzilla_noreply@novell.com