Hello List,

 

I am working on a small project where I need to encrypt nfs traffic, and Stunnel looks to be ideal, the only issue I’m having is getting the transparent part to work

 

I have a client machine, running stunnel config below

 

#GLOBAL#######################################################

 

sslVersion      =       TLSv1.2

TIMEOUTidle     =       600

renegotiation   =       no

        FIPS    =       no

        options =       NO_SSLv2

        options =       NO_SSLv3

        options =       SINGLE_DH_USE

        options =       SINGLE_ECDH_USE

        options =       CIPHER_SERVER_PREFERENCE

        syslog  =       yes

        debug   =       7

        ;chroot  =       /var/empty/stunnel

        libwrap =       yes

        service =       3d-nfsd

        curve   =       secp521r1

 

#CREDENTIALS##################################################

 

        verify  =       4

        CAfile  =       /etc/stunnel/nfs-tls.pem

        cert    =       /etc/stunnel/nfs-tls.pem

 

#ROLE#########################################################

 

        client  =       yes

        connect =       fqdn:2363

 

and the client which is running ontop of the nfs-ganesha server config below

#GLOBAL#######################################################

 

TIMEOUTidle     =       600

renegotiation   =       no

        FIPS    =       no

        options =       NO_SSLv2

        options =       NO_SSLv3

        options =       SINGLE_DH_USE

        options =       SINGLE_ECDH_USE

        options =       CIPHER_SERVER_PREFERENCE

        syslog  =       yes

        debug   =       7

        setuid  =       nobody

        setgid  =       nobody

        chroot  =       /var/empty/stunnel

        libwrap =       yes

        service =       MC-nfsd

        ; cd /var/empty; mkdir -p stunnel/etc; cd stunnel/etc;

        ; echo 'MC-nfsd: ALL EXCEPT 5.6.7.8' >> hosts.deny;

        ; chcon -t stunnel_etc_t hosts.deny

 

        curve   =       secp521r1

 

#CREDENTIALS##################################################

 

        verify  =       4

        CAfile  =       /etc/stunnel/nfs-tls.pem

        cert    =       /etc/stunnel/nfs-tls.pem

 

#ROLE#########################################################

 

        connect =       127.0.0.1:2049

 

I have had a look through the documentation and I believe I need to set transparent = source on the client side, and then set some ip tables firewall rules. Does anyone have a guide, or some advice on how to get this to work. Generally what happens if I set the firewall rules, on the client, and set the transparent to source I just get connection closed by remote host. I never actually see the traffic leave the client host.

 

To confirm, when not using transparent everything works correctly, accept the server side sees the connection coming from 127.0.0.1

 

Thanks

 

Rgds

Steve.

 

The future has already arrived. It's just not evenly distributed yet - William Gibson

 

Steven Relf
 ‑ 
Technical Authority: Cloud Native Infrastructure
srelf@ukcloud.com
+44 1252 936019 / +44 7500 085 864
www.ukcloud.com
A8, Cody Technology Park, Ively RoadFarnboroughGU14 0LX
UKCloud recognised by Crown Commercial Services as a strategic provider of multi-cloud
Notice: This message contains information that may be privileged or confidential and is the property of UKCloud Ltd. It is intended only for the person to whom it is addressed. If you are not the intended recipient, you are not authorised to read, print, retain, copy, disseminate, distribute, or use this message or any part thereof. If you receive this message in error, please notify the sender immediately and delete all copies of this message. UKCloud reserves the right to monitor all e-mail communications through its networks. UKCloud Ltd is registered in England and Wales: Company No: 07619797. Registered office: Hartham Park, Hartham, Corsham, Wiltshire SN13 0RP.