Hello List,
I am working on a small project where I need to encrypt nfs traffic, and Stunnel looks to be ideal, the only issue I'm having is getting the transparent part to work
I have a client machine, running stunnel config below
#GLOBAL#######################################################
sslVersion = TLSv1.2 TIMEOUTidle = 600 renegotiation = no FIPS = no options = NO_SSLv2 options = NO_SSLv3 options = SINGLE_DH_USE options = SINGLE_ECDH_USE options = CIPHER_SERVER_PREFERENCE syslog = yes debug = 7 ;chroot = /var/empty/stunnel libwrap = yes service = 3d-nfsd curve = secp521r1
#CREDENTIALS##################################################
verify = 4 CAfile = /etc/stunnel/nfs-tls.pem cert = /etc/stunnel/nfs-tls.pem
#ROLE#########################################################
client = yes connect = fqdn:2363
and the client which is running ontop of the nfs-ganesha server config below #GLOBAL#######################################################
TIMEOUTidle = 600 renegotiation = no FIPS = no options = NO_SSLv2 options = NO_SSLv3 options = SINGLE_DH_USE options = SINGLE_ECDH_USE options = CIPHER_SERVER_PREFERENCE syslog = yes debug = 7 setuid = nobody setgid = nobody chroot = /var/empty/stunnel libwrap = yes service = MC-nfsd ; cd /var/empty; mkdir -p stunnel/etc; cd stunnel/etc; ; echo 'MC-nfsd: ALL EXCEPT 5.6.7.8' >> hosts.deny; ; chcon -t stunnel_etc_t hosts.deny
curve = secp521r1
#CREDENTIALS##################################################
verify = 4 CAfile = /etc/stunnel/nfs-tls.pem cert = /etc/stunnel/nfs-tls.pem
#ROLE#########################################################
connect = 127.0.0.1:2049
I have had a look through the documentation and I believe I need to set transparent = source on the client side, and then set some ip tables firewall rules. Does anyone have a guide, or some advice on how to get this to work. Generally what happens if I set the firewall rules, on the client, and set the transparent to source I just get connection closed by remote host. I never actually see the traffic leave the client host.
To confirm, when not using transparent everything works correctly, accept the server side sees the connection coming from 127.0.0.1
Thanks
Rgds Steve.
The future has already arrived. It's just not evenly distributed yet - William Gibson
Steven Relf - Technical Authority: Cloud Native Infrastructure srelf@ukcloud.com +44 1252 936019 / +44 7500 085 864 www.ukcloud.com A8, Cody Technology Park, Ively Road, Farnborough, GU14 0LX Notice: This message contains information that may be privileged or confidential and is the property of UKCloud Ltd. It is intended only for the person to whom it is addressed. If you are not the intended recipient, you are not authorised to read, print, retain, copy, disseminate, distribute, or use this message or any part thereof. If you receive this message in error, please notify the sender immediately and delete all copies of this message. UKCloud reserves the right to monitor all e-mail communications through its networks. UKCloud Ltd is registered in England and Wales: Company No: 07619797. Registered office: Hartham Park, Hartham, Corsham, Wiltshire SN13 0RP.
