diff options
| author | Jose M Perez <jose.m.perez.ramos+git@gmail.com> | 2023-10-03 01:27:44 +0200 |
|---|---|---|
| committer | Brian May <brian@linuxpenguins.xyz> | 2023-10-04 08:11:52 +1100 |
| commit | 794b14eaacda22edc5bb5c0bc7f71d62f50260af (patch) | |
| tree | ca5ced93aa4a04d13e818840055d9db9ec12271d /sshuttle | |
| parent | 670cc363bad1366a270636dbaeb7543d06622337 (diff) | |
tproxy: Apply DNS rules first
Having --dst-type LOCAL rules before DNS ones forces the usage of a
dnsmasq-like program to retrigger DNS requests directed locally
because they are fast-tracked through the firewall and ignored by
sshuttle.
As dns options documentation state that they capture the requests no
matter the server, and other methods and older versions behave
consistently, change the iptables rules to apply DNS ones first.
Diffstat (limited to 'sshuttle')
| -rw-r--r-- | sshuttle/methods/tproxy.py | 22 |
1 files changed, 11 insertions, 11 deletions
diff --git a/sshuttle/methods/tproxy.py b/sshuttle/methods/tproxy.py index b3d5fca..84eea3f 100644 --- a/sshuttle/methods/tproxy.py +++ b/sshuttle/methods/tproxy.py @@ -145,8 +145,18 @@ class Method(BaseMethod): _ipt('-I', 'OUTPUT', '1', '-j', mark_chain) _ipt('-I', 'PREROUTING', '1', '-j', tproxy_chain) + for _, ip in [i for i in nslist if i[0] == family]: + _ipt('-A', mark_chain, '-j', 'MARK', '--set-mark', tmark, + '--dest', '%s/32' % ip, + '-m', 'udp', '-p', 'udp', '--dport', '53') + _ipt('-A', tproxy_chain, '-j', 'TPROXY', + '--tproxy-mark', tmark, + '--dest', '%s/32' % ip, + '-m', 'udp', '-p', 'udp', '--dport', '53', + '--on-port', str(dnsport)) + # Don't have packets sent to any of our local IP addresses go - # through the tproxy or mark chains. + # through the tproxy or mark chains (except DNS ones). # # Without this fix, if a large subnet is redirected through # sshuttle (i.e., 0/0), then the user may be unable to receive @@ -169,16 +179,6 @@ class Method(BaseMethod): _ipt('-A', tproxy_chain, '-m', 'socket', '-j', divert_chain, '-m', 'udp', '-p', 'udp') - for _, ip in [i for i in nslist if i[0] == family]: - _ipt('-A', mark_chain, '-j', 'MARK', '--set-mark', tmark, - '--dest', '%s/32' % ip, - '-m', 'udp', '-p', 'udp', '--dport', '53') - _ipt('-A', tproxy_chain, '-j', 'TPROXY', - '--tproxy-mark', tmark, - '--dest', '%s/32' % ip, - '-m', 'udp', '-p', 'udp', '--dport', '53', - '--on-port', str(dnsport)) - for _, swidth, sexclude, snet, fport, lport \ in sorted(subnets, key=subnet_weight, reverse=True): tcp_ports = ('-p', 'tcp') |