<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<div class="moz-cite-prefix">On 2013-01-24 01:45, Alex Needham
wrote:<br>
</div>
<blockquote
cite="mid:CA+keopUujduB8eXyB9oPdaLhvXGuVAwkSQq65n9j3r71B4-xCA@mail.gmail.com"
type="cite">
<div>Config B - Not so good<br>
</div>
<div>connect = <a moz-do-not-send="true"
href="http://192.168.1.1:80">192.168.1.1:80</a> <- inside
interface of stunnel box<br>
<br>
iptables -t mangle -N DIVERT<br>
iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT<br>
iptables -t mangle -A DIVERT -j MARK --set-mark 1<br>
iptables -t mangle -A DIVERT -j ACCEPT<br>
ip rule add fwmark 1 lookup 100<br>
ip route add local <a moz-do-not-send="true"
href="http://0.0.0.0/0">0.0.0.0/0</a> dev lo table 100<br>
<br>
</div>
<div>
/etc/sysctl.conf<br>
</div>
<div>no route filtering and forwarding is on<br>
</div>
<div><br>
</div>
<div>am i trying something impossible? or am i missing something?</div>
</blockquote>
<br>
Returning packets originated from a local process never reach
PREROUTING table:<br>
<a class="moz-txt-link-freetext" href="http://www.sysresccd.org/Sysresccd-Networking-EN-Destination-port-routing#Overview_of_the_routing">http://www.sysresccd.org/Sysresccd-Networking-EN-Destination-port-routing#Overview_of_the_routing</a><br>
As the result they are routed to the client directly rather than via
stunnel.<br>
<br>
I don't think it's possible to route packets directly from one local
process to another local process.<br>
I'd try to use the OUTPUT chain to redirect packets to a virtual
interface (e.g. GRE), and then PREROUTING could catch packets the
other side of the tunnel.<br>
<br>
BTW: tcpdump is your friend!<br>
<br>
Mike<br>
</body>
</html>