<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
</head>
<body text="#000000" bgcolor="#FFFFFF">
Hi, there.<br>
<br>
Base server details: <br>
- Using the latest stunnel 5.37<br>
- Ubuntu Trusty<br>
- The computers communicating with each other use bridged interface addresses that are configured by the clustering software (i.e. to ensure that at least one of the nodes is master and host to some common addresses)<br>
- For discussion purposes, let's say that each server has an eth0 and eth1, and that the master node has two additional bridged address (ie. eth0:shared-ip1, eth1:shared-ip2)<br>
- The slave nodes will try to connect to eth0:shared-ip1:20001 and eth1:shared-ip2:20001 that are hosted on the master<br>
- The master node will also try to connect to these as well, while listening on port 20001<br>
- Not running in a chroot and am running stunnel as stunnel4 user<br>
- I have created a working solution using 4 services in the stunnel config and using hard-coded destinations in the iptables rules and the stunnel config. I want to create something more dynamic and versatile.
<br>
<br>
I am trying to insert a stunnel instance between my server application that attempts to connect to its twin on another server, using the bridging addresses. I am trying to avoid hard-coding destination IP addresses in my stunnel configuration file and the iptables
rules. I also don't want to have separate rules for each interface. <br>
<br>
For example, from server A's perspective (i.e. the master node), the desirable sequence of events are:
<br>
<br>
- Attempt to connect to port 20001 using the bridge addresses as destinations (in this case, they would be local interfaces).
<br>
- Intercept the requests to port 20001 on server A and divert them to port 40000 for encryption (i.e. the local stunnel instance).<br>
- Send unencrypted data from stunnel directly to local 20001.<br>
<br>
At the same time, server B is doing the same, except that the bridge addresses reside on server A and are not local. So, server A would also need to do this:
<br>
<br>
- Intercept external request for port 20001 and send it to stunnel port 40000 for encryption<br>
- Send decrypted packets to local port 20001<br>
<br>
This same type of sequence would also be happening<br>
<br>
My stunnel configuration looks like this: <br>
<blockquote>fips=yes<br>
pid=/var/run/stunnel4/testsrv.pid<br>
debug=7<br>
output=/var/log/stunnel4/testsrv.log<br>
sslVersion = TLSv1.2<br>
key = <private-key-location><br>
cert = <cert-location><br>
CAfile = <ca-file-location><br>
ciphers = ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:DHE-DSS-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA256:ECDH-RSA-AES256-GCM-SHA384:ECDH-ECDSA-AES256-GCM-SHA384:ECDH-RSA-AES256-SHA384:ECDH-ECDSA-AES256-SHA384:AES256-GCM-SHA384:AES256-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:DHE-DSS-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-DSS-AES128-SHA256:ECDH-RSA-AES128-GCM-SHA256:ECDH-ECDSA-AES128-GCM-SHA256:ECDH-RSA-AES128-SHA256:ECDH-ECDSA-AES128-SHA256:AES128-GCM-SHA256:AES128-SHA256<br>
<br>
[test-srv]<br>
client=yes<br>
accept=40000<br>
transparent=destination<br>
</blockquote>
My iptables rules, base on what I read in the man page, are this: <br>
<br>
<blockquote>STUNNEL_UID=$(id -u stunnel4)<br>
<br>
# Redirect any incoming requests to port 20001<br>
iptables -t nat -A PREROUTING -p tcp --dport 20001 ! -i lo -j DNAT --to-destination 127.0.0.1:40000<br>
iptables -A INPUT -p tcp --dport 40000 -j ACCEPT<br>
<br>
# Redirect any outgoing locally generated requests for 20001 to stunnel port 40000<br>
iptables -t nat -A OUTPUT -p tcp --dport 20001 -m owner ! --uid-owner $STUNNEL_UID -j DNAT --to-destination 127.0.0.1:40000<br>
<br>
# Redirect the output of stunnel to the local 20001 port<br>
iptables -t nat -A OUTPUT -p tcp --dport 20001 -m owner --uid-owner $STUNNEL_UID -j REDIRECT --to-ports 20001
<br>
iptables -t nat -A INPUT -p tcp -d 127.0.0.1 --dport 20001 -j ACCEPT<br>
</blockquote>
These rules are not completely adequate. For now, I'm just trying to get server A's connection to port 20001 working without having to worry about incoming from server B.
<br>
<br>
When I do this and start stunnel and my process, server A's stuff appears to loop endlessly. I think this is happening because the packets that come out of stunnel, due to the transparency configuration, look exactly the same as the original. If I log stuff
using iptables, I see repeat entries like this: <br>
<blockquote>nat-OUTPUT: IN= OUT=lo SRC=150.150.242.26 DST=150.150.242.27 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=30541 DF PROTO=TCP SPT=50101 DPT=20001 WINDOW=43690 RES=0x00 SYN URGP=0<br>
filter-OUTPUT: IN= OUT=lo SRC=150.150.242.26 DST=127.0.0.1 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=30541 DF PROTO=TCP SPT=50101 DPT=40000 WINDOW=43690 RES=0x00 SYN URGP=0<br>
nat-POSTROUTING: IN= OUT=lo SRC=150.150.242.26 DST=127.0.0.1 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=30541 DF PROTO=TCP SPT=50101 DPT=40000 WINDOW=43690 RES=0x00 SYN URGP=0<br>
filter-INPUT: IN=lo OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=150.150.242.26 DST=127.0.0.1 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=30541 DF PROTO=TCP SPT=50101 DPT=40000 WINDOW=43690 RES=0x00 SYN URGP=0<br>
filter-OUTPUT: IN= OUT=lo SRC=150.150.242.26 DST=127.0.0.1 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=30542 DF PROTO=TCP SPT=50101 DPT=40000 WINDOW=342 RES=0x00 ACK URGP=0<br>
filter-INPUT: IN=lo OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=150.150.242.26 DST=127.0.0.1 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=30542 DF PROTO=TCP SPT=50101 DPT=40000 WINDOW=342 RES=0x00 ACK URGP=0<br>
nat-OUTPUT: IN= OUT=lo SRC=150.150.242.26 DST=150.150.242.27 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=48827 DF PROTO=TCP SPT=50102 DPT=20001 WINDOW=43690 RES=0x00 SYN URGP=0<br>
filter-OUTPUT: IN= OUT=lo SRC=150.150.242.26 DST=127.0.0.1 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=48827 DF PROTO=TCP SPT=50102 DPT=40000 WINDOW=43690 RES=0x00 SYN URGP=0<br>
nat-POSTROUTING: IN= OUT=lo SRC=150.150.242.26 DST=127.0.0.1 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=48827 DF PROTO=TCP SPT=50102 DPT=40000 WINDOW=43690 RES=0x00 SYN URGP=0<br>
filter-INPUT: IN=lo OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=150.150.242.26 DST=127.0.0.1 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=48827 DF PROTO=TCP SPT=50102 DPT=40000 WINDOW=43690 RES=0x00 SYN URGP=0<br>
filter-OUTPUT: IN= OUT=lo SRC=150.150.242.26 DST=127.0.0.1 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=48828 DF PROTO=TCP SPT=50102 DPT=40000 WINDOW=342 RES=0x00 ACK URGP=0<br>
filter-INPUT: IN=lo OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=150.150.242.26 DST=127.0.0.1 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=48828 DF PROTO=TCP SPT=50102 DPT=40000 WINDOW=342 RES=0x00 ACK URGP=0<br>
filter-OUTPUT: IN= OUT=lo SRC=150.150.242.26 DST=127.0.0.1 LEN=269 TOS=0x00 PREC=0x00 TTL=64 ID=48829 DF PROTO=TCP SPT=50102 DPT=40000 WINDOW=342 RES=0x00 ACK PSH URGP=0<br>
filter-INPUT: IN=lo OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=150.150.242.26 DST=127.0.0.1 LEN=269 TOS=0x00 PREC=0x00 TTL=64 ID=48829 DF PROTO=TCP SPT=50102 DPT=40000 WINDOW=342 RES=0x00 ACK PSH URGP=0<br>
...<br>
</blockquote>
As can be seen, line 1 and line 7 are virtually identical. <br>
<br>
In the stunnel log, I can see that stunnel is receiving multiple requests for port 20001 in rapid succession but is not actually receiving any reply from the final destination.
<br>
<br>
So, if anyone has any ideas, tweaks or suggestions for how to solve this problem or where I am going wrong, I would appreciate it. I can use a static configuration with hard-coded destination IP's but if there is an alternative, I would like to know. I have
tried for several days to figure this out and have searched Google extensively, including stunnel-users postings, to figure out how to do this without success.
<br>
<br>
Thanks, <br>
<br>
Rodney Lott<br>
</body>
</html>