Added support to exclude ports from forwarding

liorm · liorm · commit 5a1ed2e2fe23 · 2013-10-25T10:10:19.000+03:00
diff --git a/client.py b/client.py
@@ -96,15 +96,17 @@ def original_dst(sock):
 
 
 class FirewallClient:
-    def __init__(self, port, subnets_include, subnets_exclude, dnsport, route_username):
+    def __init__(self, port, subnets_include, subnets_exclude, dnsport, route_username, excludedports):
         self.port = port
         self.auto_nets = []
         self.subnets_include = subnets_include
         self.subnets_exclude = subnets_exclude
         self.dnsport = dnsport
         argvbase = ([sys.argv[1], sys.argv[0], sys.argv[1]] +
                     ['-v'] * (helpers.verbose or 0) +
-                    ['--firewall', str(port), str(dnsport), '--username', route_username])
+                    ['--firewall', str(port), str(dnsport),
+                     '--username', route_username or '',
+                     '--eports', excludedports or ''])
         if ssyslog._p:
             argvbase += ['--syslog']
         argv_tries = [
@@ -338,7 +340,7 @@ def onhostlist(hostlist):
 
 def main(listenip, ssh_cmd, remotename, python, latency_control, dns,
          seed_hosts, auto_nets,
-         subnets_include, subnets_exclude, syslog, daemon, pidfile, route_username):
+         subnets_include, subnets_exclude, syslog, daemon, pidfile, route_username, excludedports):
     if syslog:
         ssyslog.start_syslog()
     if daemon:
@@ -385,7 +387,7 @@ def main(listenip, ssh_cmd, remotename, python, latency_control, dns,
         dnsport = 0
         dnslistener = None
 
-    fw = FirewallClient(listenip[1], subnets_include, subnets_exclude, dnsport, route_username)
+    fw = FirewallClient(listenip[1], subnets_include, subnets_exclude, dnsport, route_username, excludedports)
     
     try:
         return _main(listener, fw, ssh_cmd, remotename,
diff --git a/firewall.py b/firewall.py
@@ -70,9 +70,13 @@ def ipt_ttl(*args):
 # multiple copies shouldn't have overlapping subnets, or only the most-
 # recently-started one will win (because we use "-I OUTPUT 1" instead of
 # "-A OUTPUT").
-def do_iptables(port, dnsport, route_username, subnets):
+def do_iptables(port, dnsport, route_username, excludedports, subnets):
     chain = 'sshuttle-%s' % port
 
+    eportsargv = []
+    if excludedports:
+        eportsargv += ['--match', 'multiport', '!', '--dport', excludedports]
+
     # basic cleanup/setup of chains
     if ipt_chain_exists(chain):
         if not route_username:
@@ -107,8 +111,9 @@ def do_iptables(port, dnsport, route_username, subnets):
                 ipt_ttl('-A', chain, '-j', 'REDIRECT',
                         '--dest', '%s/%s' % (snet,swidth),
                         '-p', 'tcp',
-                        '--to-ports', str(port))
-                
+                        '--to-ports', str(port),
+                         *eportsargv)
+
     if dnsport:
         nslist = resolvconf_nameservers()
         for ip in nslist:
@@ -261,7 +266,7 @@ def ipfw(*args):
     _call(argv)
 
 
-def do_ipfw(port, dnsport, route_username, subnets):
+def do_ipfw(port, dnsport, route_username, excludedports, subnets):
     sport = str(port)
     xsport = str(port+1)
 
@@ -457,7 +462,7 @@ def ip_in_subnets(ip, subnets):
 # exit.  In case that fails, it's not the end of the world; future runs will
 # supercede it in the transproxy list, at least, so the leftover rules
 # are hopefully harmless.
-def main(port, dnsport, syslog, route_username):
+def main(port, dnsport, syslog, route_username, excludedports):
     assert(port > 0)
     assert(port <= 65535)
     assert(dnsport >= 0)
@@ -522,7 +527,7 @@ def main(port, dnsport, syslog, route_username):
     try:
         if line:
             debug1('firewall manager: starting transproxy.\n')
-            do_wait = do_it(port, dnsport, route_username, subnets)
+            do_wait = do_it(port, dnsport, route_username, excludedports, subnets)
             sys.stdout.write('STARTED\n')
         
         try:
@@ -552,5 +557,5 @@ def main(port, dnsport, syslog, route_username):
             debug1('firewall manager: undoing changes.\n')
         except:
             pass
-        do_it(port, 0, route_username, [])
+        do_it(port, 0, route_username, excludedports, [])
         restore_etc_hosts(port)
diff --git a/main.py b/main.py
@@ -68,6 +68,7 @@ def parse_ipport(s):
 syslog     send log messages to syslog (default if you use --daemon)
 pidfile=   pidfile name (only if using --daemon) [./sshuttle.pid]
 u,username= route packets only from the specified username (required iptables with -m owner support)
+eports=    Exclude this list of ports (separated by comma with no spaces)
 server     (internal use only)
 firewall   (internal use only)
 hostwatch  (internal use only)
@@ -95,7 +96,7 @@ def parse_ipport(s):
     elif opt.firewall:
         if len(extra) != 2:
             o.fatal('exactly two arguments expected')
-        sys.exit(firewall.main(int(extra[0]), int(extra[1]), opt.syslog, opt.username))
+        sys.exit(firewall.main(int(extra[0]), int(extra[1]), opt.syslog, opt.username, opt.eports))
     elif opt.hostwatch:
         sys.exit(hostwatch.hw_main(extra))
     else:
@@ -129,7 +130,7 @@ def parse_ipport(s):
                              opt.auto_nets,
                              parse_subnets(includes),
                              parse_subnets(excludes),
-                             opt.syslog, opt.daemon, opt.pidfile, opt.username))
+                             opt.syslog, opt.daemon, opt.pidfile, opt.username, opt.eports))
 except FatalNeedsReboot, e:
     log('You must reboot before using sshuttle.\n')
     sys.exit(EXITCODE_NEEDS_REBOOT)
