- sshttp: reflecting rename of nf-conntrack module on newer distros t…

…o avoid dstaddr() errors and

  start porting nf scripts to nft slowly

README.md

@@ -24,7 +24,9 @@ _sshttpd_ can multiplex the following protocol pairs:
 
 Be sure you run recent Linux kernel and install `nf-conntrack` as well
 as `libcap` and `libcap-devel` if you want to use the capability feature.
+On older systems the nf-conntrack module is named nf-conntrack-ipv4.
 
+Inside `src` dir:
 ```
 $ make
 ```
@@ -57,7 +59,11 @@ If its __HTTP(S)__ traffic, it switches the traffic to the `HTTP_PORT`
 (`-H`, default 8080) and if its __SSH__ traffic to `SSH_PORT` (`-S`, default
 22) respectively.
 
-You need to edit `nf-setup` script to match your network device and `$PORTS` (`22` and `8080`
+After the build it is time to pick the right netfilter script for setting up the fw rules.
+In `iptables` directory you will find the old style *iptables* version and in `nft`
+the new version for *nft* (but currently only using the compat layer).
+
+You need to edit `nf-setup` script (`nf6-setup`if using IPv6) to match your network device and `$PORTS` (`22` and `8080`
 are just fine for the SSH/HTTP case) and run it to install the proxy rules.
 Your _sshd_ has to run on `$SSH_PORT` and your webserver on `$HTTP_PORT`.
 Thats basically it. Go ahead and run _sshttpd_ (as root) and it will layer5-switch

nf-setup → iptables/nf-setup

@@ -28,6 +28,9 @@ PORTS="22 8080"
 #iptables -t raw -F
 
 modprobe nf_conntrack_ipv4 || true
+modprobe nf_conntrack || true
+modprobe xt_conntrack || true
+
 iptables -t mangle -N DIVERT || true
 
 echo "Using network device $DEV"
@@ -51,3 +54,6 @@ iptables -t mangle -A DIVERT -j ACCEPT
 ip rule add fwmark 1 lookup 123 || true
 ip route add local 0.0.0.0/0 dev lo table 123
 
+# this is necessary on some kernels to make conntrack actually work, huh?
+iptables -A INPUT -m conntrack -i lo --ctstate NEW -j LOG
+

nf6-setup → iptables/nf6-setup

@@ -28,6 +28,9 @@ PORTS="22 8080"
 #ip6tables -t raw -F
 
 modprobe nf_conntrack_ipv6 || true
+modprobe nf_conntrack || true
+modprobe xt_conntrack || true
+
 ip6tables -t mangle -N DIVERT || true
 
 echo "Using network device $DEV"
@@ -51,3 +54,6 @@ ip6tables -t mangle -A DIVERT -j ACCEPT
 ip -6 rule add fwmark 1 lookup 123 || true
 ip -6 route add local ::/0 dev lo table 123
 
+# this is necessary on some kernels to make conntrack actually work, huh?
+ip6tables -A INPUT -m conntrack -i lo --ctstate NEW -j LOG
+

nft/nf-setup

@@ -0,0 +1,59 @@
+#!/bin/sh
+
+# sshttp netfilter rules, nft version: to be translated to direct "nft" calls
+#
+
+# If you mux SSH/SMTP (rather than HTTP), then HTTP_PORT is your
+# alternate SMTP port. e.g. 2525 and sshttp needs to be started with
+# '-L 25 -H 2525'
+
+DEV=eth0
+
+# The ports you want to mux:
+# -S <port> -H <port> and any other -N SNI:<ports> (in case of HTTPS)
+# do NOT add the -L port here
+# standard SSH / HTTP mux looks like this (sshttpd -S 22 -H 8080 -L 80)
+PORTS="22 8080"
+
+# a SSH / HTTPS mux with https server on port 4433 and a drops
+# on port 7350 looks like this (sshttpd -S 22 -H 4433 -L 443 -N drops.v2:7350)
+#PORTS="22 4433 7350"
+
+# SNI-only mux without SSH (sshttpd -S 0 -H 4433 -L 443 -N drops.v2:7350)
+#PORTS="4433 7350"
+
+#if it clashes with complex NATing rules, try this
+#iptables-nft -t mangle -F
+#iptables-nft -t nat -F
+#iptables-nft -t raw -F
+
+modprobe nf_conntrack_ipv4 || true
+modprobe nf_conntrack || true
+modprobe xt_conntrack || true
+
+iptables-nft -t mangle -N DIVERT || true
+
+echo "Using network device $DEV"
+
+for p in $PORTS; do
+	echo "Setting up port $p ..."
+
+	# block direct access from outside
+	iptables-nft -A INPUT -i $DEV -p tcp --dport $p -j DROP
+
+	# and divert anything back to sshttpd that comes from the muxed services
+	# so sshttpd can see it
+	iptables-nft -t mangle -A OUTPUT -p tcp -o $DEV --sport $p -j DIVERT
+done
+
+iptables-nft -t mangle -A PREROUTING -p tcp -m socket -j DIVERT
+
+iptables-nft -t mangle -A DIVERT -j MARK --set-mark 1
+iptables-nft -t mangle -A DIVERT -j ACCEPT
+
+ip rule add fwmark 1 lookup 123 || true
+ip route add local 0.0.0.0/0 dev lo table 123
+
+# this is necessary on some kernels to make conntrack actually work, huh?
+iptables-nft -A INPUT -m conntrack -i lo --ctstate NEW -j LOG
+

nft/nf6-setup

@@ -0,0 +1,59 @@
+#!/bin/sh
+
+# sshttp netfilter rules, nft version
+#
+
+# If you mux SSH/SMTP (rather than HTTP), then HTTP_PORT is your
+# alternate SMTP port. e.g. 2525 and sshttp needs to be started with
+# '-L 25 -H 2525'
+
+DEV=eth0
+
+# The ports you want to mux:
+# -S <port> -H <port> and any other -N SNI:<ports> (in case of HTTPS)
+# do NOT add the -L port here
+# standard SSH / HTTP mux looks like this (sshttpd -S 22 -H 8080 -L 80)
+PORTS="22 8080"
+
+# a SSH / HTTPS mux with https server on port 4433 and a drops
+# on port 7350 looks like this (sshttpd -S 22 -H 4433 -L 443 -N drops.v2:7350)
+#PORTS="22 4433 7350"
+
+# SNI-only mux without SSH (sshttpd -S 0 -H 4433 -L 443 -N drops.v2:7350)
+#PORTS="4433 7350"
+
+#if it clashes with complex NATing rules, try this
+#ip6tables-nft -t mangle -F
+#ip6tables-nft -t nat -F
+#ip6tables-nft -t raw -F
+
+modprobe nf_conntrack_ipv6 || true
+modprobe nf_conntrack || true
+modprobe xt_conntrack || true
+
+ip6tables-nft -t mangle -N DIVERT || true
+
+echo "Using network device $DEV"
+
+for p in $PORTS; do
+	echo "Setting up port $p ..."
+
+	# block HTTP/SSH direct access from outside
+	ip6tables-nft -A INPUT -i $DEV -p tcp --dport $p -j DROP
+
+	# and divert anything back to sshttpd that comes from the muxed services
+	# so sshttpd can see it
+	ip6tables-nft -t mangle -A OUTPUT -p tcp -o $DEV --sport $p -j DIVERT
+done
+
+ip6tables-nft -t mangle -A PREROUTING -p tcp -m socket -j DIVERT
+
+ip6tables-nft -t mangle -A DIVERT -j MARK --set-mark 1
+ip6tables-nft -t mangle -A DIVERT -j ACCEPT
+
+ip -6 rule add fwmark 1 lookup 123 || true
+ip -6 route add local ::/0 dev lo table 123
+
+# this is necessary on some kernels to make conntrack actually work, huh?
+ip6tables-nft -A INPUT -m conntrack -i lo --ctstate NEW -j LOG
+