I am using sshuttle and UFW on my Linux system, and I recently set up outbound traffic filtering (instead of default-allow) in ufw. Immediately, I noticed I couldn’t make connections via sshuttle anymore.
The solution was to add another rule to ufw:
allow out from anywhere to IP 127.0.0.1, TCP port 12300
Note that this is “all interfaces,” not tied to the loopback interface,
Now… why does this work? Why doesn’t this traffic already match one of the “accept all on loopback” rules?
To receive that sshuttle is responsible for,
sshuttle listens at 127.0.0.1:12300 (by default) and creates some NAT rules to redirect traffic for its subnet to that IP and port. That is, running
sshuttle -r example.com 192.168.99.0/24 creates a NAT rule to catch traffic to any host within
192.168.99.0/24. This is done in netfilter’s
UFW has its rules in the
filter tables, and the
nat tables run first. Therefore, UFW sees a packet that has already been redirected, and this redirection changes the packet’s destination while its interface and source remain the same!
That’s the key to answering the second question: the “allow traffic on loopback” rules are written to allow traffic on interface
lo, and these redirected packets have a different interface (Ethernet or Wi-Fi.) The public interfaces are not expected to have traffic for local addresses on them… but if they do, they don’t get to take a shortcut through the firewall.
With this understanding, we can also see what’s going wrong in the filtering rules. Without a specific rule to allow port 12300 outbound, the packet reaches the default policy, and if that’s “reject” or “deny,” then the traffic is blocked. sshuttle never receives it.
Now we can construct the proper match rule: we need to allow traffic to IP 127.0.0.1 on TCP port 12300, and use either “all interfaces” or our public (Ethernet/Wi-Fi) interface. I left mine at “all interfaces,” in case I should ever plug in the Ethernet.
(I admit to a couple of dead-ends along the way. One, allowing port 3306 out didn’t help. Due to the NAT redirection, the firewall never sees a packet with port 3306 itself. This also means that traffic being forwarded by
sshuttle can’t be usefully firewalled on the client side. The other problem was that I accidentally created the rule to allow UDP instead of TCP the first time. Haha, oops.)