El 04/08/13 09:05, Michal Trojnara escribió:
The very purpose of of "transparent = source" is to make your server think it's connected directly by the clients. The returning packets obviously need to be routed back through the stunnel box to achieve this purpose. Otherwise the mangle PREROUTING tricks wouldn't make sense, would they?
Yep. That's why the "need to be on separate boxes" part seemed strange to me. As the incoming connections are from any, the only option would be the stunnel box being the gw for the service box. So I added a static route in the service box for my home IP via the stunnel box, and in that case, of course it works. But it's not a practical solution.
I've found the way of making it work without needing to alter that default gateway. Apart from the configurations to be done in the stunnel box, in the service box:
iptables -t mangle -I OUTPUT -p tcp --sport SERVICE_PORT -s SERVICE_IP -j MARK --set-mark 1 (this can be tweaked in every single case to granularly catch only desired packets) ip rule add fwmark 1 lookup 100 ip route add 0.0.0.0/0 via STUNNEL_IP table 100 (other people might need to add "dev XXX")
Note: /proc/sys/net/ipv4/ip_forward doesn't need to be touched in any of the boxes.
Using this feature is quite easy at the user-space level (this is what stunnel handles), but quite tricky at the kernel level (netfilter and routing configuration). A good HOWTO would be very useful.
Indeed! Thanks for the hints ;)
Regards,
Rubén.