шаттл это этот
В ходе следующего процесса содержимое моего /etc/resolv.conf является:
nameserver 1.1.1.1
Вот мои первоначальные правила ufw:
Status: active
Logging: on (medium)
Default: deny (incoming), allow (outgoing), disabled (routed)
New profiles: skip
To Action From
-- ------ ----
80 ALLOW OUT Anywhere
443 ALLOW OUT Anywhere
53 (DNS) ALLOW OUT Anywhere
22 ALLOW OUT Anywhere
80 (v6) ALLOW OUT Anywhere (v6)
443 (v6) ALLOW OUT Anywhere (v6)
53 (DNS (v6)) ALLOW OUT Anywhere (v6)
22 (v6) ALLOW OUT Anywhere (v6)
И мои начальные правила iptables:
# Generated by iptables-save v1.8.4 on Wed Apr 8 14:55:15 2020
*nat
:PREROUTING ACCEPT [452:33626]
:INPUT ACCEPT [2:904]
:OUTPUT ACCEPT [192:11605]
:POSTROUTING ACCEPT [192:11605]
COMMIT
# Completed on Wed Apr 8 14:55:15 2020
# Generated by iptables-save v1.8.4 on Wed Apr 8 14:55:15 2020
*filter
:INPUT DROP [4:116]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:ufw-after-forward - [0:0]
:ufw-after-input - [0:0]
:ufw-after-logging-forward - [0:0]
:ufw-after-logging-input - [0:0]
:ufw-after-logging-output - [0:0]
:ufw-after-output - [0:0]
:ufw-before-forward - [0:0]
:ufw-before-input - [0:0]
:ufw-before-logging-forward - [0:0]
:ufw-before-logging-input - [0:0]
:ufw-before-logging-output - [0:0]
:ufw-before-output - [0:0]
:ufw-logging-allow - [0:0]
:ufw-logging-deny - [0:0]
:ufw-not-local - [0:0]
:ufw-reject-forward - [0:0]
:ufw-reject-input - [0:0]
:ufw-reject-output - [0:0]
:ufw-skip-to-policy-forward - [0:0]
:ufw-skip-to-policy-input - [0:0]
:ufw-skip-to-policy-output - [0:0]
:ufw-track-forward - [0:0]
:ufw-track-input - [0:0]
:ufw-track-output - [0:0]
:ufw-user-forward - [0:0]
:ufw-user-input - [0:0]
:ufw-user-limit - [0:0]
:ufw-user-limit-accept - [0:0]
:ufw-user-logging-forward - [0:0]
:ufw-user-logging-input - [0:0]
:ufw-user-logging-output - [0:0]
:ufw-user-output - [0:0]
-A INPUT -j ufw-before-logging-input
-A INPUT -j ufw-before-input
-A INPUT -j ufw-after-input
-A INPUT -j ufw-after-logging-input
-A INPUT -j ufw-reject-input
-A INPUT -j ufw-track-input
-A FORWARD -j ufw-before-logging-forward
-A FORWARD -j ufw-before-forward
-A FORWARD -j ufw-after-forward
-A FORWARD -j ufw-after-logging-forward
-A FORWARD -j ufw-reject-forward
-A FORWARD -j ufw-track-forward
-A OUTPUT -j ufw-before-logging-output
-A OUTPUT -j ufw-before-output
-A OUTPUT -j ufw-after-output
-A OUTPUT -j ufw-after-logging-output
-A OUTPUT -j ufw-reject-output
-A OUTPUT -j ufw-track-output
-A ufw-after-input -p udp -m udp --dport 137 -j ufw-skip-to-policy-input
-A ufw-after-input -p udp -m udp --dport 138 -j ufw-skip-to-policy-input
-A ufw-after-input -p tcp -m tcp --dport 139 -j ufw-skip-to-policy-input
-A ufw-after-input -p tcp -m tcp --dport 445 -j ufw-skip-to-policy-input
-A ufw-after-input -p udp -m udp --dport 67 -j ufw-skip-to-policy-input
-A ufw-after-input -p udp -m udp --dport 68 -j ufw-skip-to-policy-input
-A ufw-after-input -m addrtype --dst-type BROADCAST -j ufw-skip-to-policy-input
-A ufw-after-logging-forward -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] "
-A ufw-after-logging-input -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] "
-A ufw-after-logging-output -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] "
-A ufw-before-forward -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A ufw-before-forward -p icmp -m icmp --icmp-type 3 -j ACCEPT
-A ufw-before-forward -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A ufw-before-forward -p icmp -m icmp --icmp-type 12 -j ACCEPT
-A ufw-before-forward -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A ufw-before-forward -j ufw-user-forward
-A ufw-before-input -i lo -j ACCEPT
-A ufw-before-input -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A ufw-before-input -m conntrack --ctstate INVALID -j ufw-logging-deny
-A ufw-before-input -m conntrack --ctstate INVALID -j DROP
-A ufw-before-input -p icmp -m icmp --icmp-type 3 -j ACCEPT
-A ufw-before-input -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A ufw-before-input -p icmp -m icmp --icmp-type 12 -j ACCEPT
-A ufw-before-input -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A ufw-before-input -p udp -m udp --sport 67 --dport 68 -j ACCEPT
-A ufw-before-input -j ufw-not-local
-A ufw-before-input -d 224.0.0.251/32 -p udp -m udp --dport 5353 -j ACCEPT
-A ufw-before-input -d 239.255.255.250/32 -p udp -m udp --dport 1900 -j ACCEPT
-A ufw-before-input -j ufw-user-input
-A ufw-before-logging-forward -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW AUDIT] "
-A ufw-before-logging-input -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW AUDIT] "
-A ufw-before-logging-output -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW AUDIT] "
-A ufw-before-output -o lo -j ACCEPT
-A ufw-before-output -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A ufw-before-output -p icmp -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
-A ufw-before-output -p icmp -m state --state RELATED,ESTABLISHED -j ACCEPT
-A ufw-before-output -j ufw-user-output
-A ufw-logging-allow -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] "
-A ufw-logging-deny -m conntrack --ctstate INVALID -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW AUDIT INVALID] "
-A ufw-logging-deny -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] "
-A ufw-not-local -m addrtype --dst-type LOCAL -j RETURN
-A ufw-not-local -m addrtype --dst-type MULTICAST -j RETURN
-A ufw-not-local -m addrtype --dst-type BROADCAST -j RETURN
-A ufw-not-local -m limit --limit 3/min --limit-burst 10 -j ufw-logging-deny
-A ufw-not-local -j DROP
-A ufw-skip-to-policy-forward -j DROP
-A ufw-skip-to-policy-input -j DROP
-A ufw-skip-to-policy-output -j ACCEPT
-A ufw-track-output -p tcp -m conntrack --ctstate NEW -j ACCEPT
-A ufw-track-output -p udp -m conntrack --ctstate NEW -j ACCEPT
-A ufw-user-limit -m limit --limit 3/min -j LOG --log-prefix "[UFW LIMIT BLOCK] "
-A ufw-user-limit -j REJECT --reject-with icmp-port-unreachable
-A ufw-user-limit-accept -j ACCEPT
-A ufw-user-output -p tcp -m tcp --dport 80 -j ACCEPT
-A ufw-user-output -p udp -m udp --dport 80 -j ACCEPT
-A ufw-user-output -p tcp -m tcp --dport 443 -j ACCEPT
-A ufw-user-output -p udp -m udp --dport 443 -j ACCEPT
-A ufw-user-output -p tcp -m tcp --dport 53 -m comment --comment "\'dapp_DNS\'" -j ACCEPT
-A ufw-user-output -p udp -m udp --dport 53 -m comment --comment "\'dapp_DNS\'" -j ACCEPT
-A ufw-user-output -p tcp -m tcp --dport 22 -j ACCEPT
-A ufw-user-output -p udp -m udp --dport 22 -j ACCEPT
COMMIT
# Completed on Wed Apr 8 14:55:15 2020
Если я запускаю sshuttle в этом состоянии, я получаю:
$ sshuttle --verbose --dns -r my_server_that_uses_port_22 0/0
Starting sshuttle proxy.
firewall manager: Starting firewall with Python version 3.8.2
firewall manager: ready method name nat.
IPv6 enabled: False
UDP enabled: False
DNS enabled: True
User enabled: False
TCP redirector listening on ('127.0.0.1', 12300).
DNS listening on ('127.0.0.1', 12299).
Starting client with Python version 3.8.2
c : connecting to server...
Starting server with Python version 3.6.9
s: latency control setting = True
c : Connected.
s: auto-nets:False
firewall manager: setting up.
>> iptables -t nat -N sshuttle-12300
>> iptables -t nat -F sshuttle-12300
>> iptables -t nat -I OUTPUT 1 -j sshuttle-12300
>> iptables -t nat -I PREROUTING 1 -j sshuttle-12300
>> iptables -t nat -A sshuttle-12300 -j RETURN --dest 127.0.0.1/32 -p tcp
>> iptables -t nat -A sshuttle-12300 -j REDIRECT --dest 0.0.0.0/0 -p tcp --to-ports 12300 -m ttl ! --ttl 42
>> iptables -t nat -A sshuttle-12300 -j REDIRECT --dest 1.1.1.1/32 -p udp --dport 53 --to-ports 12299 -m ttl ! --ttl 42
c : DNS request from ('192.168.1.100', 50688) to None: 27 bytes
c : DNS request from ('192.168.1.100', 50688) to None: 27 bytes
c : Accept TCP: 192.168.1.100:58906 -> 216.239.36.21:80.
Во время пробежки:
$ curl ipinfo.io/ip
my_server_ip
Теперь, когда sshuttle запущен, мои iptables выглядят так:
$ diff init <(sudo iptables-save)
1c1
< # Generated by iptables-save v1.8.4 on Wed Apr 8 14:55:15 2020
---
> # Generated by iptables-save v1.8.4 on Wed Apr 8 14:59:51 2020
3,6c3,12
< :PREROUTING ACCEPT [452:33626]
< :INPUT ACCEPT [2:904]
< :OUTPUT ACCEPT [192:11605]
< :POSTROUTING ACCEPT [192:11605]
---
> :PREROUTING ACCEPT [8:524]
> :INPUT ACCEPT [0:0]
> :OUTPUT ACCEPT [0:0]
> :POSTROUTING ACCEPT [1:63]
> :sshuttle-12300 - [0:0]
> -A PREROUTING -j sshuttle-12300
> -A OUTPUT -j sshuttle-12300
> -A sshuttle-12300 -d 127.0.0.1/32 -p tcp -j RETURN
> -A sshuttle-12300 -p tcp -m ttl ! --ttl-eq 42 -j REDIRECT --to-ports 12300
> -A sshuttle-12300 -d 1.1.1.1/32 -p udp -m udp --dport 53 -m ttl ! --ttl-eq 42 -j REDIRECT --to-ports 12299
8,9c14,15
< # Completed on Wed Apr 8 14:55:15 2020
< # Generated by iptables-save v1.8.4 on Wed Apr 8 14:55:15 2020
---
> # Completed on Wed Apr 8 14:59:51 2020
> # Generated by iptables-save v1.8.4 on Wed Apr 8 14:59:51 2020
11c17
< :INPUT DROP [4:116]
---
> :INPUT DROP [24:684]
126c132
< # Completed on Wed Apr 8 14:55:15 2020
---
> # Completed on Wed Apr 8 14:59:51 2020
Тогда я делаю:
$ sudo ufw default deny outgoing
Default outgoing policy changed to 'deny'
(be sure to update your rules accordingly)
$ sudo ufw reload
Firewall reloaded
В этом случае у меня есть:
$ diff init <(sudo iptables-save)
1c1
< # Generated by iptables-save v1.8.4 on Wed Apr 8 14:55:15 2020
---
> # Generated by iptables-save v1.8.4 on Wed Apr 8 15:06:08 2020
3,6c3,6
< :PREROUTING ACCEPT [452:33626]
< :INPUT ACCEPT [2:904]
< :OUTPUT ACCEPT [192:11605]
< :POSTROUTING ACCEPT [192:11605]
---
> :PREROUTING ACCEPT [35:1858]
> :INPUT ACCEPT [0:0]
> :OUTPUT ACCEPT [7:426]
> :POSTROUTING ACCEPT [7:426]
8,9c8,9
< # Completed on Wed Apr 8 14:55:15 2020
< # Generated by iptables-save v1.8.4 on Wed Apr 8 14:55:15 2020
---
> # Completed on Wed Apr 8 15:06:08 2020
> # Generated by iptables-save v1.8.4 on Wed Apr 8 15:06:08 2020
11c11
< :INPUT DROP [4:116]
---
> :INPUT DROP [20:568]
13c13
< :OUTPUT ACCEPT [0:0]
---
> :OUTPUT DROP [0:0]
73c73
< -A ufw-after-logging-output -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] "
---
> -A ufw-after-logging-output -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] "
111,113c111
< -A ufw-skip-to-policy-output -j ACCEPT
< -A ufw-track-output -p tcp -m conntrack --ctstate NEW -j ACCEPT
< -A ufw-track-output -p udp -m conntrack --ctstate NEW -j ACCEPT
---
> -A ufw-skip-to-policy-output -j DROP
126c124
< # Completed on Wed Apr 8 14:55:15 2020
---
> # Completed on Wed Apr 8 15:06:08 2020
Теперь запуск sshuttle дает:
$ sshuttle --verbose --dns -r my_server_that_uses_port_22 0/0
Starting sshuttle proxy.
[local sudo] Password:
firewall manager: Starting firewall with Python version 3.8.2
firewall manager: ready method name nat.
IPv6 enabled: False
UDP enabled: False
DNS enabled: True
User enabled: False
TCP redirector listening on ('127.0.0.1', 12300).
DNS listening on ('127.0.0.1', 12299).
Starting client with Python version 3.8.2
c : connecting to server...
Starting server with Python version 3.6.9
s: latency control setting = True
c : Connected.
s: auto-nets:False
firewall manager: setting up.
>> iptables -t nat -N sshuttle-12300
>> iptables -t nat -F sshuttle-12300
>> iptables -t nat -I OUTPUT 1 -j sshuttle-12300
>> iptables -t nat -I PREROUTING 1 -j sshuttle-12300
>> iptables -t nat -A sshuttle-12300 -j RETURN --dest 127.0.0.1/32 -p tcp
>> iptables -t nat -A sshuttle-12300 -j REDIRECT --dest 0.0.0.0/0 -p tcp --to-ports 12300 -m ttl ! --ttl 42
>> iptables -t nat -A sshuttle-12300 -j REDIRECT --dest 1.1.1.1/32 -p udp --dport 53 --to-ports 12299 -m ttl ! --ttl 42
Во время пробежки
$ curl ipinfo.io/ip
curl: (6) Could not resolve host: ipinfo.io
Теперь, когда sshuttle запущен, мои iptables выглядят так:
$ diff init <(sudo iptables-save)
1c1
< # Generated by iptables-save v1.8.4 on Wed Apr 8 14:55:15 2020
---
> # Generated by iptables-save v1.8.4 on Wed Apr 8 15:17:19 2020
3,6c3,12
< :PREROUTING ACCEPT [452:33626]
< :INPUT ACCEPT [2:904]
< :OUTPUT ACCEPT [192:11605]
< :POSTROUTING ACCEPT [192:11605]
---
> :PREROUTING ACCEPT [50:2498]
> :INPUT ACCEPT [0:0]
> :OUTPUT ACCEPT [5:245]
> :POSTROUTING ACCEPT [5:245]
> :sshuttle-12300 - [0:0]
> -A PREROUTING -j sshuttle-12300
> -A OUTPUT -j sshuttle-12300
> -A sshuttle-12300 -d 127.0.0.1/32 -p tcp -j RETURN
> -A sshuttle-12300 -p tcp -m ttl ! --ttl-eq 42 -j REDIRECT --to-ports 12300
> -A sshuttle-12300 -d 1.1.1.1/32 -p udp -m udp --dport 53 -m ttl ! --ttl-eq 42 -j REDIRECT --to-ports 12299
8,9c14,15
< # Completed on Wed Apr 8 14:55:15 2020
< # Generated by iptables-save v1.8.4 on Wed Apr 8 14:55:15 2020
---
> # Completed on Wed Apr 8 15:17:19 2020
> # Generated by iptables-save v1.8.4 on Wed Apr 8 15:17:19 2020
11c17
< :INPUT DROP [4:116]
---
> :INPUT DROP [70:1988]
13c19
< :OUTPUT ACCEPT [0:0]
---
> :OUTPUT DROP [114:6975]
73c79
< -A ufw-after-logging-output -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] "
---
> -A ufw-after-logging-output -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] "
111,113c117
< -A ufw-skip-to-policy-output -j ACCEPT
< -A ufw-track-output -p tcp -m conntrack --ctstate NEW -j ACCEPT
< -A ufw-track-output -p udp -m conntrack --ctstate NEW -j ACCEPT
---
> -A ufw-skip-to-policy-output -j DROP
126c130
< # Completed on Wed Apr 8 14:55:15 2020
---
> # Completed on Wed Apr 8 15:17:19 2020
Еще несколько доказательств при запуске sshuttle с текущими правилами брандмауэра:
$ dig +short -p 12299 a google.com @127.0.0.1
216.58.205.238
$ dig +short a google.com @8.8.8.8
216.58.210.78
$ dig +short a google.com @1.1.1.1
;; connection timed out; no servers could be reached
Почему это происходит?
8.8.8.8 но не с 1.1.1.1?Как мне настроить правила брандмауэра, чтобы у меня не возникало этой проблемы?
Имейте в виду, что я не всегда буду использовать 1.1.1.1 для днс.
Пожалуйста, дайте мне знать, если я должен предоставить дополнительную информацию.