Hello,
Is it possible to use stunnel server as a transparent proxy? I was digging through the manpage and I see the
transparent=
option. What I would like to do is have an stunnel client connect to the stunnel server, and once traffic is at the server, go to the original destination that the traffic going to the stunnel client was destined for.
I.E. Can I have firefox proxy to my stunnel client, which connects to my stunnel server, and then that traffic goes to whatever website the end user was trying to hit in firefox?
My Stunnel server is on a CentOS box:
[root@CentOSTunTest ~]# uname -a Linux CentOSTunTest 2.6.32-431.el6.x86_64 #1 SMP Fri Nov 22 03:15:09 UTC 2013 x86_64 x86_64 x86_64 GNU/Linux
And my stunnel.conf
foreground = yes
debug = 7 options = NO_SSLv2 fips = no output=/usr/local/etc/stunnel/stunnel.log
[https] cert=/usr/local/etc/stunnel/stunnel.pem accept = 443 connect = 80
[Internet] cert=/usr/local/etc/stunnel/stunnel.pem sni = https:Internet transparent=destination
So basically in the transparent option is Internet is what I am wondering if it works the way I expect. I see this in the log file:
2014.10.23 09:57:05 LOG3[11414]: setsockopt SO_ORIGINAL_DST: Protocol not available (92) 2014.10.23 09:57:05 LOG5[11414]: Connection reset: 0 byte(s) sent to SSL, 0 byte(s) sent to socket
I see this in the stunnel manpage:
For a connect target installed on the same host:
/sbin/iptables -t nat -I OUTPUT -p tcp --dport <redirected_port> \ -m ! --uid-owner <stunnel_user_id> \ -j DNAT --to-destination <local_ip>:<stunnel_port>
For a connect target installed on a remote host:
/sbin/iptables -I INPUT -i eth0 -p tcp --dport <stunnel_port> -j ACCEPT /sbin/iptables -t nat -I PREROUTING -p tcp --dport <redirected_port> \ -i eth0 -j DNAT --to-destination <local_ip>:<stunnel_port>
What does it mean "for a connect target installed on the same host" I thought transparent meant I was not using a connect target except the original destination. Does this mean I should implement the IPTables for a remote host, since I want my client to just reach the internet?
Thanks for the help in advance!
Hi Derek,
You will need a proxy software on your server as the endpoint. (For e.g. squid)
If you are emulating a VPN, then you'd need a VPN software (OpenVPN) as the endpoint. On 23 Oct 2014 22:08, "Derek Cole" derek.cole@gmail.com wrote:
Hello,
Is it possible to use stunnel server as a transparent proxy? I was digging through the manpage and I see the
transparent=
option. What I would like to do is have an stunnel client connect to the stunnel server, and once traffic is at the server, go to the original destination that the traffic going to the stunnel client was destined for.
I.E. Can I have firefox proxy to my stunnel client, which connects to my stunnel server, and then that traffic goes to whatever website the end user was trying to hit in firefox?
My Stunnel server is on a CentOS box:
[root@CentOSTunTest ~]# uname -a Linux CentOSTunTest 2.6.32-431.el6.x86_64 #1 SMP Fri Nov 22 03:15:09 UTC 2013 x86_64 x86_64 x86_64 GNU/Linux
And my stunnel.conf
foreground = yes
debug = 7 options = NO_SSLv2 fips = no output=/usr/local/etc/stunnel/stunnel.log
[https] cert=/usr/local/etc/stunnel/stunnel.pem accept = 443 connect = 80
[Internet] cert=/usr/local/etc/stunnel/stunnel.pem sni = https:Internet transparent=destination
So basically in the transparent option is Internet is what I am wondering if it works the way I expect. I see this in the log file:
2014.10.23 09:57:05 LOG3[11414]: setsockopt SO_ORIGINAL_DST: Protocol not available (92) 2014.10.23 09:57:05 LOG5[11414]: Connection reset: 0 byte(s) sent to SSL, 0 byte(s) sent to socket
I see this in the stunnel manpage:
For a connect target installed on the same host:
/sbin/iptables -t nat -I OUTPUT -p tcp --dport <redirected_port> \ -m ! --uid-owner <stunnel_user_id> \ -j DNAT --to-destination <local_ip>:<stunnel_port>For a connect target installed on a remote host:
/sbin/iptables -I INPUT -i eth0 -p tcp --dport <stunnel_port> -j ACCEPT /sbin/iptables -t nat -I PREROUTING -p tcp --dport <redirected_port> \ -i eth0 -j DNAT --to-destination <local_ip>:<stunnel_port>
What does it mean "for a connect target installed on the same host" I thought transparent meant I was not using a connect target except the original destination. Does this mean I should implement the IPTables for a remote host, since I want my client to just reach the internet?
Thanks for the help in advance!
stunnel-users mailing list stunnel-users@stunnel.org https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
Thanks for the reply. Is this the normal way people would do this, or would you normally just run an stunnel in client mode on that server, and have firefox connect to it, which would then be able to transparently proxy to the internet?
Or is it pretty much always necessary to be running some actual proxy software, regardless whether stunnel is in client or server mode?
On Thu, Oct 23, 2014 at 11:26 AM, Suresh Ramasamy suresh@drsuresh.net wrote:
Hi Derek,
You will need a proxy software on your server as the endpoint. (For e.g. squid)
If you are emulating a VPN, then you'd need a VPN software (OpenVPN) as the endpoint. On 23 Oct 2014 22:08, "Derek Cole" derek.cole@gmail.com wrote:
Hello,
Is it possible to use stunnel server as a transparent proxy? I was digging through the manpage and I see the
transparent=
option. What I would like to do is have an stunnel client connect to the stunnel server, and once traffic is at the server, go to the original destination that the traffic going to the stunnel client was destined for.
I.E. Can I have firefox proxy to my stunnel client, which connects to my stunnel server, and then that traffic goes to whatever website the end user was trying to hit in firefox?
My Stunnel server is on a CentOS box:
[root@CentOSTunTest ~]# uname -a Linux CentOSTunTest 2.6.32-431.el6.x86_64 #1 SMP Fri Nov 22 03:15:09 UTC 2013 x86_64 x86_64 x86_64 GNU/Linux
And my stunnel.conf
foreground = yes
debug = 7 options = NO_SSLv2 fips = no output=/usr/local/etc/stunnel/stunnel.log
[https] cert=/usr/local/etc/stunnel/stunnel.pem accept = 443 connect = 80
[Internet] cert=/usr/local/etc/stunnel/stunnel.pem sni = https:Internet transparent=destination
So basically in the transparent option is Internet is what I am wondering if it works the way I expect. I see this in the log file:
2014.10.23 09:57:05 LOG3[11414]: setsockopt SO_ORIGINAL_DST: Protocol not available (92) 2014.10.23 09:57:05 LOG5[11414]: Connection reset: 0 byte(s) sent to SSL, 0 byte(s) sent to socket
I see this in the stunnel manpage:
For a connect target installed on the same host:
/sbin/iptables -t nat -I OUTPUT -p tcp --dport <redirected_port> \ -m ! --uid-owner <stunnel_user_id> \ -j DNAT --to-destination <local_ip>:<stunnel_port>For a connect target installed on a remote host:
/sbin/iptables -I INPUT -i eth0 -p tcp --dport <stunnel_port> -j ACCEPT /sbin/iptables -t nat -I PREROUTING -p tcp --dport <redirected_port> \ -i eth0 -j DNAT --to-destination <local_ip>:<stunnel_port>
What does it mean "for a connect target installed on the same host" I thought transparent meant I was not using a connect target except the original destination. Does this mean I should implement the IPTables for a remote host, since I want my client to just reach the internet?
Thanks for the help in advance!
stunnel-users mailing list stunnel-users@stunnel.org https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
Hello,
Regarding that IPtables line that is mentioned in the manpage - what is the redirected port?
/sbin/iptables -t nat -I PREROUTING -p tcp --dport <redirected_port> \ -i eth0 -j DNAT --to-destination <local_ip>:<stunnel_port>
I am using the stunnel configuration I posted in the first email, and I want traffic on the stunnel server to end up at localhost:9040 so I think I would use that as the --to-destination, but I am unsure what to put in the --dport. Is that going to be any port that I may be connecting to transparently (i.e. if I am using this as a web browser, would it be 80, 8000, 8080, etc?)
On Thu, Oct 23, 2014 at 12:13 PM, Derek Cole derek.cole@gmail.com wrote:
Thanks for the reply. Is this the normal way people would do this, or would you normally just run an stunnel in client mode on that server, and have firefox connect to it, which would then be able to transparently proxy to the internet?
Or is it pretty much always necessary to be running some actual proxy software, regardless whether stunnel is in client or server mode?
On Thu, Oct 23, 2014 at 11:26 AM, Suresh Ramasamy suresh@drsuresh.net wrote:
Hi Derek,
You will need a proxy software on your server as the endpoint. (For e.g. squid)
If you are emulating a VPN, then you'd need a VPN software (OpenVPN) as the endpoint. On 23 Oct 2014 22:08, "Derek Cole" derek.cole@gmail.com wrote:
Hello,
Is it possible to use stunnel server as a transparent proxy? I was digging through the manpage and I see the
transparent=
option. What I would like to do is have an stunnel client connect to the stunnel server, and once traffic is at the server, go to the original destination that the traffic going to the stunnel client was destined for.
I.E. Can I have firefox proxy to my stunnel client, which connects to my stunnel server, and then that traffic goes to whatever website the end user was trying to hit in firefox?
My Stunnel server is on a CentOS box:
[root@CentOSTunTest ~]# uname -a Linux CentOSTunTest 2.6.32-431.el6.x86_64 #1 SMP Fri Nov 22 03:15:09 UTC 2013 x86_64 x86_64 x86_64 GNU/Linux
And my stunnel.conf
foreground = yes
debug = 7 options = NO_SSLv2 fips = no output=/usr/local/etc/stunnel/stunnel.log
[https] cert=/usr/local/etc/stunnel/stunnel.pem accept = 443 connect = 80
[Internet] cert=/usr/local/etc/stunnel/stunnel.pem sni = https:Internet transparent=destination
So basically in the transparent option is Internet is what I am wondering if it works the way I expect. I see this in the log file:
2014.10.23 09:57:05 LOG3[11414]: setsockopt SO_ORIGINAL_DST: Protocol not available (92) 2014.10.23 09:57:05 LOG5[11414]: Connection reset: 0 byte(s) sent to SSL, 0 byte(s) sent to socket
I see this in the stunnel manpage:
For a connect target installed on the same host:
/sbin/iptables -t nat -I OUTPUT -p tcp --dport <redirected_port> \ -m ! --uid-owner <stunnel_user_id> \ -j DNAT --to-destination <local_ip>:<stunnel_port>For a connect target installed on a remote host:
/sbin/iptables -I INPUT -i eth0 -p tcp --dport <stunnel_port> -j ACCEPT /sbin/iptables -t nat -I PREROUTING -p tcp --dport <redirected_port> \ -i eth0 -j DNAT --to-destination <local_ip>:<stunnel_port>
What does it mean "for a connect target installed on the same host" I thought transparent meant I was not using a connect target except the original destination. Does this mean I should implement the IPTables for a remote host, since I want my client to just reach the internet?
Thanks for the help in advance!
stunnel-users mailing list stunnel-users@stunnel.org https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
I just wanted to follow up that post showing my full set of rules. See below:
*filter :INPUT DROP [0:0] :FORWARD DROP [0:0] :OUTPUT DROP [0:0] :LOGGING - [0:0]
-A INPUT -i eth0 -p tcp --dport 22 -j ACCEPT -A INPUT -j LOG --log-prefix "All Input" -A INPUT -i eth0 -p tcp --dport 443 -j ACCEPT -A INPUT -i eth0 -p udp --sport 53 -j ACCEPT -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT #-A INPUT -i eth0 -p icmp -m icmp --icmp-type echo-request -j DROP #-A INPUT -i eth0 -j InputIP -A INPUT -i lo -j ACCEPT -A INPUT -j LOG --log-prefix "INPUT-Drop:" -A INPUT -j DROP
-A FORWARD -j LOG --log-prefix "All-Forwards" -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A FORWARD -j LOG --log-prefix "FORWARD-Drop:" -A FORWARD -j DROP
-A OUTPUT -o eth0 -p tcp --sport 22 -j ACCEPT -A OUTPUT -j LOG --log-prefix "All Output" -A OUTPUT -o eth0 -p tcp --sport 443 -j ACCEPT -A OUTPUT -o eth0 -p udp --dport 53 -j ACCEPT -A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A OUTPUT -o lo -j ACCEPT -A OUTPUT -o eth0 -p tcp --dport 8999 -j ACCEPT -A OUTPUT -o eth0 -p tcp --dport 8000 -j ACCEPT -A OUTPUT -j LOG --log-prefix "OUTPUT-Drop:" -A OUTPUT -j DROP
COMMIT
*nat :PREROUTING ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] -A PREROUTING -j LOG -A PREROUTING -p tcp --dport 12345 -i eth0 -j DNAT --to-destination 127.0.0.1:9040
COMMIT
*mangle :PREROUTING ACCEPT [0:0] :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] COMMIT
On Tue, Oct 28, 2014 at 5:31 PM, Derek Cole derek.cole@gmail.com wrote:
Hello,
Regarding that IPtables line that is mentioned in the manpage - what is the redirected port?
/sbin/iptables -t nat -I PREROUTING -p tcp --dport <redirected_port> \ -i eth0 -j DNAT --to-destination <local_ip>:<stunnel_port>
I am using the stunnel configuration I posted in the first email, and I want traffic on the stunnel server to end up at localhost:9040 so I think I would use that as the --to-destination, but I am unsure what to put in the --dport. Is that going to be any port that I may be connecting to transparently (i.e. if I am using this as a web browser, would it be 80, 8000, 8080, etc?)
On Thu, Oct 23, 2014 at 12:13 PM, Derek Cole derek.cole@gmail.com wrote:
Thanks for the reply. Is this the normal way people would do this, or would you normally just run an stunnel in client mode on that server, and have firefox connect to it, which would then be able to transparently proxy to the internet?
Or is it pretty much always necessary to be running some actual proxy software, regardless whether stunnel is in client or server mode?
On Thu, Oct 23, 2014 at 11:26 AM, Suresh Ramasamy suresh@drsuresh.net wrote:
Hi Derek,
You will need a proxy software on your server as the endpoint. (For e.g. squid)
If you are emulating a VPN, then you'd need a VPN software (OpenVPN) as the endpoint. On 23 Oct 2014 22:08, "Derek Cole" derek.cole@gmail.com wrote:
Hello,
Is it possible to use stunnel server as a transparent proxy? I was digging through the manpage and I see the
transparent=
option. What I would like to do is have an stunnel client connect to the stunnel server, and once traffic is at the server, go to the original destination that the traffic going to the stunnel client was destined for.
I.E. Can I have firefox proxy to my stunnel client, which connects to my stunnel server, and then that traffic goes to whatever website the end user was trying to hit in firefox?
My Stunnel server is on a CentOS box:
[root@CentOSTunTest ~]# uname -a Linux CentOSTunTest 2.6.32-431.el6.x86_64 #1 SMP Fri Nov 22 03:15:09 UTC 2013 x86_64 x86_64 x86_64 GNU/Linux
And my stunnel.conf
foreground = yes
debug = 7 options = NO_SSLv2 fips = no output=/usr/local/etc/stunnel/stunnel.log
[https] cert=/usr/local/etc/stunnel/stunnel.pem accept = 443 connect = 80
[Internet] cert=/usr/local/etc/stunnel/stunnel.pem sni = https:Internet transparent=destination
So basically in the transparent option is Internet is what I am wondering if it works the way I expect. I see this in the log file:
2014.10.23 09:57:05 LOG3[11414]: setsockopt SO_ORIGINAL_DST: Protocol not available (92) 2014.10.23 09:57:05 LOG5[11414]: Connection reset: 0 byte(s) sent to SSL, 0 byte(s) sent to socket
I see this in the stunnel manpage:
For a connect target installed on the same host:
/sbin/iptables -t nat -I OUTPUT -p tcp --dport <redirected_port> \ -m ! --uid-owner <stunnel_user_id> \ -j DNAT --to-destination <local_ip>:<stunnel_port>For a connect target installed on a remote host:
/sbin/iptables -I INPUT -i eth0 -p tcp --dport <stunnel_port> -j ACCEPT /sbin/iptables -t nat -I PREROUTING -p tcp --dport <redirected_port> \ -i eth0 -j DNAT --to-destination <local_ip>:<stunnel_port>
What does it mean "for a connect target installed on the same host" I thought transparent meant I was not using a connect target except the original destination. Does this mean I should implement the IPTables for a remote host, since I want my client to just reach the internet?
Thanks for the help in advance!
stunnel-users mailing list stunnel-users@stunnel.org https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
-
Derek Cole -
Suresh Ramasamy