On 2013-08-04 00:02, Rubén Cardenal
wrote:
So: service's box receives a SYN packet from my home IP address
(originated from stunnel's box), and answers with a proper ACK
packet. That's ok. But as that ACK reply has as destination an
external IP, goes to the box's default gateway (and not to the box
where stunnel is running) and gets lost.
The very purpose of of "transparent = source" is to make your server
think it's connected directly by the clients. The returning packets
obviously need to be routed back through the stunnel box to achieve
this purpose. Otherwise the mangle PREROUTING tricks wouldn't make
sense, would they?
Using this feature is quite easy at the user-space level (this is
what stunnel handles), but quite tricky at the kernel level
(netfilter and routing configuration). A good HOWTO would be very
useful.
Mike