From 3899e2eb871c25fcdee58e28ade20820b2eeb56b Mon Sep 17 00:00:00 2001
From: Narthorn <narthorn@gmail.com>
Date: Tue, 30 Apr 2013 04:44:24 +0200
Subject: [PATCH 1/2] dns: Move resolvconf_nameservers() call from firewall.py
 to client.py

This adds a dns_hosts command-line option, which is passed internally to
the firewall, containing a comma-separated list of nameservers to target
when creating firewall rules.
---
 client.py   |  9 +++++++--
 firewall.py | 12 +++++-------
 main.py     |  5 ++++-
 3 files changed, 16 insertions(+), 10 deletions(-)

diff --git a/client.py b/client.py
index a03ac3a..a42fdf5 100644
--- a/client.py
+++ b/client.py
@@ -96,17 +96,20 @@ def original_dst(sock):
 
 
 class FirewallClient:
-    def __init__(self, port, subnets_include, subnets_exclude, dnsport):
+    def __init__(self, port, subnets_include, subnets_exclude, dnsport, dns_hosts):
         self.port = port
         self.auto_nets = []
         self.subnets_include = subnets_include
         self.subnets_exclude = subnets_exclude
         self.dnsport = dnsport
+        self.dns_hosts = dns_hosts
         argvbase = ([sys.argv[1], sys.argv[0], sys.argv[1]] +
                     ['-v'] * (helpers.verbose or 0) +
                     ['--firewall', str(port), str(dnsport)])
         if ssyslog._p:
             argvbase += ['--syslog']
+        if dnsport:
+             argvbase += ['--dns-hosts', ','.join(dns_hosts)]
         argv_tries = [
             ['sudo', '-p', '[local sudo] Password: '] + argvbase,
             ['su', '-c', ' '.join(argvbase)],
@@ -381,11 +384,13 @@ def main(listenip, ssh_cmd, remotename, python, latency_control, dns,
         dnsip = dnslistener.getsockname()
         debug1('DNS listening on %r.\n' % (dnsip,))
         dnsport = dnsip[1]
+        dns_hosts = resolvconf_nameservers()
     else:
         dnsport = 0
         dnslistener = None
+        dns_hosts = []
 
-    fw = FirewallClient(listenip[1], subnets_include, subnets_exclude, dnsport)
+    fw = FirewallClient(listenip[1], subnets_include, subnets_exclude, dnsport, dns_hosts)
     
     try:
         return _main(listener, fw, ssh_cmd, remotename,
diff --git a/firewall.py b/firewall.py
index cbc3312..bec024c 100644
--- a/firewall.py
+++ b/firewall.py
@@ -70,7 +70,7 @@ def ipt_ttl(*args):
 # multiple copies shouldn't have overlapping subnets, or only the most-
 # recently-started one will win (because we use "-I OUTPUT 1" instead of
 # "-A OUTPUT").
-def do_iptables(port, dnsport, subnets):
+def do_iptables(port, dnsport, nslist, subnets):
     chain = 'sshuttle-%s' % port
 
     # basic cleanup/setup of chains
@@ -104,7 +104,6 @@ def do_iptables(port, dnsport, subnets):
                         '--to-ports', str(port))
                 
     if dnsport:
-        nslist = resolvconf_nameservers()
         for ip in nslist:
             ipt_ttl('-A', chain, '-j', 'REDIRECT',
                     '--dest', '%s/32' % ip,
@@ -255,7 +254,7 @@ def ipfw(*args):
     _call(argv)
 
 
-def do_ipfw(port, dnsport, subnets):
+def do_ipfw(port, dnsport, nslist, subnets):
     sport = str(port)
     xsport = str(port+1)
 
@@ -354,7 +353,6 @@ def do_ipfw(port, dnsport, subnets):
                                    IPPROTO_DIVERT)
         divertsock.bind(('0.0.0.0', port)) # IP field is ignored
 
-        nslist = resolvconf_nameservers()
         for ip in nslist:
             # relabel and then catch outgoing DNS requests
             ipfw('add', sport, 'divert', sport,
@@ -451,7 +449,7 @@ def ip_in_subnets(ip, subnets):
 # exit.  In case that fails, it's not the end of the world; future runs will
 # supercede it in the transproxy list, at least, so the leftover rules
 # are hopefully harmless.
-def main(port, dnsport, syslog):
+def main(port, dnsport, nslist, syslog):
     assert(port > 0)
     assert(port <= 65535)
     assert(dnsport >= 0)
@@ -516,7 +514,7 @@ def main(port, dnsport, syslog):
     try:
         if line:
             debug1('firewall manager: starting transproxy.\n')
-            do_wait = do_it(port, dnsport, subnets)
+            do_wait = do_it(port, dnsport, nslist, subnets)
             sys.stdout.write('STARTED\n')
         
         try:
@@ -546,5 +544,5 @@ def main(port, dnsport, syslog):
             debug1('firewall manager: undoing changes.\n')
         except:
             pass
-        do_it(port, 0, [])
+        do_it(port, 0, [], [])
         restore_etc_hosts(port)
diff --git a/main.py b/main.py
index 34d9fb1..b958e98 100755
--- a/main.py
+++ b/main.py
@@ -67,6 +67,7 @@ def parse_ipport(s):
 V,version  print sshuttle's version number
 syslog     send log messages to syslog (default if you use --daemon)
 pidfile=   pidfile name (only if using --daemon) [./sshuttle.pid]
+dns-hosts= (internal use only)
 server     (internal use only)
 firewall   (internal use only)
 hostwatch  (internal use only)
@@ -94,7 +95,9 @@ def parse_ipport(s):
     elif opt.firewall:
         if len(extra) != 2:
             o.fatal('exactly two arguments expected')
-        sys.exit(firewall.main(int(extra[0]), int(extra[1]), opt.syslog))
+        port, dnsport = int(extra[0]), int(extra[1])
+        nslist = re.split(r'[\s,]+', opt.dns_hosts.strip()) if dnsport else []
+        sys.exit(firewall.main(port, dnsport, nslist, opt.syslog))
     elif opt.hostwatch:
         sys.exit(hostwatch.hw_main(extra))
     else:

From 0cc65cc614b24a3109dad9cd91e0cd19f7a7d88e Mon Sep 17 00:00:00 2001
From: Narthorn <narthorn@gmail.com>
Date: Tue, 30 Apr 2013 04:52:59 +0200
Subject: [PATCH 2/2] dns: Add --dns-hosts command-line option.

The --dns switch adds firewall rules to intercept queries only for
nameservers found in resolv.conf ; This command-line option allows
the user to explicitly specify the nameservers to create firewall
redirection rules for.

This is useful when using a local DNS forwarder to redirect DNS queries
to different nameservers.

Example:

  We can use sshuttle to access a private subnet 172.30.0.0/16, which hosts
  a local DNS server resolving private domain names in that subnet.

  Currently, the only way to be able to resolve those domain names is to use
  the --dns switch. However, all DNS queries will then go through the remote
  nameserver, which might not be desirable especially if said nameserver
  does not know how to resolve every query.

  One solution is to run a local DNS forwarder, which knows that the private
  domain names can be resolved through a private IP, say 172.30.128.40.

  Now, we can run :

    sshuttle -r ssh.remoteserver.com -i 172.30.0.0/16 --dns-hosts 172.30.128.40

  DNS queries for private domain names will get forwarded to 172.30.128.40,
  intercepted by the firewall rule and sent through the tunnel to the nameserver
  used by the remote endpoint (which might or might not be 172.30.128.40 !).

Notes :

    * There is nothing preventing --dns-hosts from being used together with
	  --dns, in which case the nameservers found in resolv.conf will also be
	  added to the firewall rules as usual. This defeats the purpose of the
	  example, however.
	  There might be some weird use-case where this is useful ?

    * Since there is no control over which nameserver the query gets sent to
	  after it has crossed the tunnel, the IPs specified in --dns-hosts are
	  irrelevant (as long as they are the same as found in the DNS forwarder
	  configuration). This might be a little counter-intuitive.
---
 client.py | 8 +++++---
 main.py   | 4 +++-
 2 files changed, 8 insertions(+), 4 deletions(-)

diff --git a/client.py b/client.py
index a42fdf5..1cd6d6b 100644
--- a/client.py
+++ b/client.py
@@ -339,7 +339,8 @@ def onhostlist(hostlist):
         mux.callback()
 
 
-def main(listenip, ssh_cmd, remotename, python, latency_control, dns,
+def main(listenip, ssh_cmd, remotename, python, latency_control,
+         dns, dns_hosts,
          seed_hosts, auto_nets,
          subnets_include, subnets_exclude, syslog, daemon, pidfile):
     if syslog:
@@ -380,11 +381,12 @@ def main(listenip, ssh_cmd, remotename, python, latency_control, dns,
     listenip = listener.getsockname()
     debug1('Listening on %r.\n' % (listenip,))
 
-    if dns:
+    if dns or dns_hosts:
         dnsip = dnslistener.getsockname()
         debug1('DNS listening on %r.\n' % (dnsip,))
         dnsport = dnsip[1]
-        dns_hosts = resolvconf_nameservers()
+        if dns:
+            dns_hosts += resolvconf_nameservers()
     else:
         dnsport = 0
         dnslistener = None
diff --git a/main.py b/main.py
index b958e98..6493506 100755
--- a/main.py
+++ b/main.py
@@ -54,6 +54,7 @@ def parse_ipport(s):
 H,auto-hosts scan for remote hostnames and update local /etc/hosts
 N,auto-nets  automatically determine subnets to route
 dns        capture local DNS requests and forward to the remote DNS server
+dns-hosts= capture DNS requests to these servers and forward (comma-separated)
 python=    path to python interpreter on the remote server
 r,remote=  ssh hostname (and optional username) of remote sshuttle server
 x,exclude= exclude this subnet (can be used more than once)
@@ -67,7 +68,6 @@ def parse_ipport(s):
 V,version  print sshuttle's version number
 syslog     send log messages to syslog (default if you use --daemon)
 pidfile=   pidfile name (only if using --daemon) [./sshuttle.pid]
-dns-hosts= (internal use only)
 server     (internal use only)
 firewall   (internal use only)
 hostwatch  (internal use only)
@@ -113,6 +113,7 @@ def parse_ipport(s):
         remotename = opt.remote
         if remotename == '' or remotename == '-':
             remotename = None
+        nslist = re.split(r'[\s,]+', opt.dns_hosts.strip()) if opt.dns_hosts else []
         if opt.seed_hosts and not opt.auto_hosts:
             o.fatal('--seed-hosts only works if you also use -H')
         if opt.seed_hosts:
@@ -127,6 +128,7 @@ def parse_ipport(s):
                              opt.python,
                              opt.latency_control,
                              opt.dns,
+                             nslist,
                              sh,
                              opt.auto_nets,
                              parse_subnets(includes),