diff options
| author | João Vieira <vieira+github@yubo.be> | 2017-05-07 04:18:13 +0100 |
|---|---|---|
| committer | Brian May <brian@linuxpenguins.xyz> | 2017-05-07 13:18:13 +1000 |
| commit | c4a41ada09ec6fbfeb1783eb0269cad013842982 (patch) | |
| tree | a1c7483089e665164a788d06b5c7d1badc7d5cb4 /docs | |
| parent | ef83a5c5736341573c21b39e347f39f5387b6faa (diff) | |
Adds support for tunneling specific port ranges (#144)
* Adds support for tunneling specific port ranges
This set of changes implements the ability of specifying a port or port
range for an IP or subnet to only tunnel those ports for that subnet.
Also supports excluding a port or port range for a given IP or subnet.
When, for a given subnet, there are intercepting ranges being added and
excluded, the most specific, i.e., smaller range, takes precedence. In
case of a tie the exclusion wins.
For different subnets, the most specific, i.e., largest swidth, takes
precedence independent of any eventual port ranges.
Examples:
Tunnels all traffic to the 188.0.0.0/8 subnet except those to port 443.
```
sshuttle -r <server> 188.0.0.0/8 -x 188.0.0.0/8:443
```
Only tunnels traffic to port 80 of the 188.0.0.0/8 subnet.
```
sshuttle -r <server> 188.0.0.0/8:80
```
Tunnels traffic to the 188.0.0.0/8 subnet and the port range that goes
from 80 to 89.
```
sshuttle -r <server> 188.0.0.0/8:80-89 -x 188.0.0.0/8:80-90
```
* Allow subnets to be specified with domain names
Simplifies the implementation of address parsing by using
socket.getaddrinfo(), which can handle domain resolution, IPv4 and IPv6
addresses. This was proposed and mostly implemented by @DavidBuchanan314
in #146.
Signed-off-by: David Buchanan <DavidBuchanan314@users.noreply.github.com>
Signed-off-by: João Vieira <vieira@yubo.be>
* Also use getaddrinfo for parsing listen addr:port
* Fixes tests for tunneling a port range
* Updates documentation to include port/port range
Adds some examples with subnet:port and subnet:port-port.
Also clarifies the versions of Python supported on the server while
maintaining the recommendation for Python 2.7, 3.5 or later.
Mentions support for pfSense.
* In Py2 only named arguments may follow *expression
Fixes issue in Python 2.7 where *expression may only be followed by
named arguments.
* Use right regex to extract ip4/6, mask and ports
* Tests for parse_subnetport
Diffstat (limited to 'docs')
| -rw-r--r-- | docs/manpage.rst | 19 | ||||
| -rw-r--r-- | docs/overview.rst | 2 | ||||
| -rw-r--r-- | docs/requirements.rst | 7 |
3 files changed, 19 insertions, 9 deletions
diff --git a/docs/manpage.rst b/docs/manpage.rst index fe6633a..44a178e 100644 --- a/docs/manpage.rst +++ b/docs/manpage.rst @@ -31,11 +31,18 @@ Options .. option:: subnets A list of subnets to route over the VPN, in the form - ``a.b.c.d[/width]``. Valid examples are 1.2.3.4 (a + ``a.b.c.d[/width][port[-port]]``. Valid examples are 1.2.3.4 (a single IP address), 1.2.3.4/32 (equivalent to 1.2.3.4), 1.2.3.0/24 (a 24-bit subnet, ie. with a 255.255.255.0 netmask), and 0/0 ('just route everything through the - VPN'). + VPN'). Any of the previous examples are also valid if you append + a port or a port range, so 1.2.3.4:8000 will only tunnel traffic + that has as the destination port 8000 of 1.2.3.4 and + 1.2.3.0/24:8000-9000 will tunnel traffic going to any port between + 8000 and 9000 (inclusive) for all IPs in the 1.2.3.0/24 subnet. + It is also possible to use a name in which case the first IP it resolves + to during startup will be routed over the VPN. Valid examples are + example.com, example.com:8000 and example.com:8000-9000. .. option:: --method [auto|nat|tproxy|pf] @@ -54,9 +61,11 @@ Options connections from other machines on your network (ie. to run :program:`sshuttle` on a router) try enabling IP Forwarding in your kernel, then using ``--listen 0.0.0.0:0``. + You can use any name resolving to an IP address of the machine running + :program:`sshuttle`, e.g. ``--listen localhost``. - For the tproxy method this can be an IPv6 address. Use this option twice if - required, to provide both IPv4 and IPv6 addresses. + For the tproxy and pf methods this can be an IPv6 address. Use this option + twice if required, to provide both IPv4 and IPv6 addresses. .. option:: -H, --auto-hosts @@ -176,7 +185,7 @@ Options .. option:: --disable-ipv6 - If using the tproxy method, this will disable IPv6 support. + If using tproxy or pf methods, this will disable IPv6 support. .. option:: --firewall diff --git a/docs/overview.rst b/docs/overview.rst index dc32a80..a5f02c0 100644 --- a/docs/overview.rst +++ b/docs/overview.rst @@ -4,7 +4,7 @@ Overview As far as I know, sshuttle is the only program that solves the following common case: -- Your client machine (or router) is Linux, FreeBSD, or MacOS. +- Your client machine (or router) is Linux, MacOS, FreeBSD, OpenBSD or pfSense. - You have access to a remote network via ssh. diff --git a/docs/requirements.rst b/docs/requirements.rst index d32b348..9e9b54f 100644 --- a/docs/requirements.rst +++ b/docs/requirements.rst @@ -41,7 +41,7 @@ order to get the ``recvmsg()`` function. See :doc:`tproxy` for more information. -MacOS / FreeBSD / OpenBSD +MacOS / FreeBSD / OpenBSD / pfSense ~~~~~~~~~~~~~~~~~~~~~~~~~ Method: pf @@ -65,8 +65,9 @@ cmd.exe with Administrator access. See :doc:`windows` for more information. Server side Requirements ------------------------ -Server requirements are more relaxed, however it is recommended that you use -Python 2.7 or Python 3.5. +The server can run in any version of Python between 2.4 and 3.6. +However it is recommended that you use Python 2.7, Python 3.5 or later whenever +possible as support for older versions might be dropped in the future. Additional Suggested Software |