Sirs. I´m trying to make Stunnel work in both source and destination transparent proxy and after looking every possibility I started to track the packet that is locally generated (Stunnel client sending to stunnel server).
The packet goes out from process to raw table output chain. It deliveries to connect tracking that pass the packet to mangle output but it disappears before arriving in the nat table output chain.
Stunnel Packet destination 7.0.0.2:80(Original destination)------raw/output-----connectTrack------mangle/output-------XXXX disappear
With transparent destination off it works fine.
Stunnel Packet destination 9.0.0.2:443(Stunnel Server IP)------raw/output-----connectTrack------mangle/output-------nat/output---- filter/output----interface
The problem is probably regarding the tproxy/ip_transparent that stunnel use to control the connection and get the original src/dst to use.
I tried 3 different distribution of linux with the same behavior.
Does someone already use transparent=both and give me a setup that worked link linux distribution/version, stunnel version and so on?
Thanks,
Luis Monteiro
Just to document the solution that was pretty hard to discovery since I had to understand what Stunnel was doing together with tproxy/ip_transparent.
When you set both stunnel use all kind of sockets access, local and remote. With both options enable the local socket instead of connect to lo interface get the outside ethernet in my case ens192.
The solutions in use socket options in config file as bellow:
Socket = l:SO_BINDTODEVICE=lo
If you believe in witches bind access and remote as well to access interface ens224 and remote ens192 in my case:
Socket = a:SO_BINDTODEVICE=ens224
Socket = r:SO_BINDTODEVICE=ens192
Now everything will work fine.
The solution is not documented in the manual page.
Good luck.
Luis
De: Luis Monteiro luis.monteiro440@gmail.com Enviada em: quinta-feira, 31 de janeiro de 2019 22:46 Para: stunnel-users@stunnel.org Assunto: Stunnel 5.50 Transparent Both (Source+Destination)
Sirs. I´m trying to make Stunnel work in both source and destination transparent proxy and after looking every possibility I started to track the packet that is locally generated (Stunnel client sending to stunnel server).
The packet goes out from process to raw table output chain. It deliveries to connect tracking that pass the packet to mangle output but it disappears before arriving in the nat table output chain.
Stunnel Packet destination 7.0.0.2:80(Original destination)------raw/output-----connectTrack------mangle/output-------XXXX disappear
With transparent destination off it works fine.
Stunnel Packet destination 9.0.0.2:443(Stunnel Server IP)------raw/output-----connectTrack------mangle/output-------nat/output---- filter/output----interface
The problem is probably regarding the tproxy/ip_transparent that stunnel use to control the connection and get the original src/dst to use.
I tried 3 different distribution of linux with the same behavior.
Does someone already use transparent=both and give me a setup that worked link linux distribution/version, stunnel version and so on?
Thanks,
Luis Monteiro
-
Luis Monteiro