[stunnel-users] misconfiguration of transparent proxy

Bucci, David G david.g.bucci at lmco.com
Tue Jul 12 18:17:35 CEST 2011


I think what Jose said will work ... but I don't know, seems like an "I have an stunnel hammer so everything looks like a nail" thing to me.  I mean, encrypt then unencrypt just to change source IP to localhost>  Wouldn't the following work -- add iptables rules on the server box (10.2.0.140) as follows:

	iptables -t nat -A PREROUTING --dst 10.2.0.140 -p tcp --dport 6776 -j DNAT \
		--to-destination 10.2.0.140:4776
	iptables -t nat -A POSTROUTING -p tcp --dst 10.2.0.140 --dport 4776 -j SNAT \
		--to-source 127.0.0.1

That makes port 6776 on that box be a proxy to 4776, with all packets that arrive at port 4776 appear to come from localhost. I'm pretty sure that'd work, SNATing the packets to 127.0.0.1, no?  I mean, it's not like you're on a Windows box, where you don't have control of your own network stack :-P

(I didn't add an OUTPUT rule, because if you're already on the same box as your server process, I assume you'd just do a "telnet 127.0.0.1 4776")

But maybe you have a reason why you want to use stunnel for this.

-----Original Message-----
From: stunnel-users-bounces at stunnel.org [mailto:stunnel-users-bounces at stunnel.org] On Behalf Of josealf at rocketmail.com
Sent: Wednesday, July 06, 2011 7:12 AM
To: Marco Strullato; stunnel-users-bounces at stunnel.org; stunnel-users at stunnel.org
Subject: EXTERNAL: Re: [stunnel-users] misconfiguration of transparent proxy

Your configuration still requires an SSL enabled client. That's the reason you are getting the unknown protocol error. I think you might achieve what you want by configuring two stunnel services in the same machine for each appserv, one in server mode and the other in client mode linked together. No transparent should be needed. This could be considered an ugly hack :), like this:


[Appsrv01c]
Client=yes
Accept=6776
Connect=5776

[Appsrvo1]
Client=no
Accept=5776
Connect=4776


This assumes your app listens on port 4776 and you connect from your client to port 6776 and you use port 5776 to link the two stunnel stanzas. Of course, you need a certificate and set verify=0

Regards,

Jose
-----Original Message-----
From: Marco Strullato <marco.strullato at gmail.com>
Sender: stunnel-users-bounces at stunnel.org
Date: Wed, 6 Jul 2011 11:28:08 
To: <stunnel-users at stunnel.org>
Subject: [stunnel-users] misconfiguration of transparent proxy

Hi all,
is there any way to use stunnel to proxy a connection without using encryption?
I have an application that is listening on 0.0.0.0:port but which
refuses connection if not coming from localhost:port and that
application is reachable only with telnet, with no encryption.

I have found a possible configuration that is the following:

chroot = /var/run/stunnel/
setuid = nobody
setgid = nobody
pid = /stunnel.pid
socket = l:TCP_NODELAY=1
socket = r:TCP_NODELAY=1
debug = 7
output = /var/log/stunnel.log
transparent=yes
[AppSrv01]
accept = 5776
connect = 4776
[AppSrv02]
accept = 5777
connect = 4777

but it seems not working: that is the log.

2011.07.06 11:08:20 LOG5[30375:47349987463360]: stunnel 4.15 on
x86_64-redhat-linux-gnu with OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008
2011.07.06 11:08:20 LOG5[30375:47349987463360]: Threading:PTHREAD
SSL:ENGINE Sockets:POLL,IPv6 Auth:LIBWRAP
2011.07.06 11:08:20 LOG6[30375:47349987463360]: file ulimit = 1024
(can be changed with 'ulimit -n')
2011.07.06 11:08:20 LOG6[30375:47349987463360]: poll() used - no
FD_SETSIZE limit for file descriptors
2011.07.06 11:08:20 LOG5[30375:47349987463360]: 500 clients allowed
2011.07.06 11:08:20 LOG7[30375:47349987463360]: FD 4 in non-blocking mode
2011.07.06 11:08:20 LOG7[30375:47349987463360]: FD 5 in non-blocking mode
2011.07.06 11:08:20 LOG7[30375:47349987463360]: FD 6 in non-blocking mode
2011.07.06 11:08:20 LOG7[30375:47349987463360]: SO_REUSEADDR option
set on accept socket
2011.07.06 11:08:20 LOG7[30375:47349987463360]: AppSrv01 bound to 0.0.0.0:5776
2011.07.06 11:08:20 LOG7[30375:47349987463360]: FD 7 in non-blocking mode
2011.07.06 11:08:20 LOG7[30375:47349987463360]: SO_REUSEADDR option
set on accept socket
2011.07.06 11:08:20 LOG7[30375:47349987463360]: AppSrv02 bound to 0.0.0.0:5777
2011.07.06 11:08:20 LOG7[30376:47349987463360]: Created pid file /stunnel.pid
2011.07.06 11:08:30 LOG7[30376:47349987463360]: AppSrv01 accepted FD=8
from 10.0.1.11:41922
2011.07.06 11:08:30 LOG7[30376:1094314304]: AppSrv01 started
2011.07.06 11:08:30 LOG7[30376:1094314304]: FD 8 in non-blocking mode
2011.07.06 11:08:30 LOG7[30376:1094314304]: TCP_NODELAY option set on
local socket
2011.07.06 11:08:30 LOG7[30376:1094314304]: FD 9 in non-blocking mode
2011.07.06 11:08:30 LOG7[30376:1094314304]: FD 10 in non-blocking mode
2011.07.06 11:08:30 LOG7[30376:47349987463360]: Cleaning up the signal pipe
2011.07.06 11:08:30 LOG6[30376:47349987463360]: Child process 30384
finished with code 0
2011.07.06 11:08:30 LOG7[30376:1094314304]: Connection from
10.0.1.11:41922 permitted by libwrap
2011.07.06 11:08:30 LOG5[30376:1094314304]: AppSrv01 connected from
10.0.1.11:41922
2011.07.06 11:08:30 LOG7[30376:1094314304]: SSL state (accept):
before/accept initialization
2011.07.06 11:08:43 LOG3[30376:1094314304]: SSL_accept: 140760FC:
error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol
2011.07.06 11:08:43 LOG5[30376:1094314304]: Connection reset: 0 bytes
sent to SSL, 0 bytes sent to socket
2011.07.06 11:08:43 LOG7[30376:1094314304]: AppSrv01 finished (0 left)


and from the standard out I get:
2011.07.06 11:08:20 LOG7[30375:47349987463360]: Snagged 64 random
bytes from /home/user/.rnd
2011.07.06 11:08:20 LOG7[30375:47349987463360]: Wrote 1024 new random
bytes to /home/user/.rnd
2011.07.06 11:08:20 LOG7[30375:47349987463360]: RAND_status claims
sufficient entropy for the PRNG
2011.07.06 11:08:20 LOG6[30375:47349987463360]: PRNG seeded successfully
2011.07.06 11:08:20 LOG7[30375:47349987463360]: Certificate:
/etc/stunnel/stunnel.pem
2011.07.06 11:08:20 LOG7[30375:47349987463360]: Key file:
/etc/stunnel/stunnel.pem
2011.07.06 11:08:20 LOG7[30375:47349987463360]: SSL context
initialized for service AppSrv01
2011.07.06 11:08:20 LOG7[30375:47349987463360]: Certificate:
/etc/stunnel/stunnel.pem
2011.07.06 11:08:20 LOG7[30375:47349987463360]: Key file:
/etc/stunnel/stunnel.pem
2011.07.06 11:08:20 LOG7[30375:47349987463360]: SSL context
initialized for service AppSrv02


What happens connecting with telnet is:
Trying 10.0.2.140...
Connected to server.
Escape character is '^]'.

It seems the connection is successful but with tcpdump I see nothing
and moreover I see nothing also in the application log. If I type
something nothing happens.
It seems that the flow is not passed to the destination port.

Do you have any hint?


Thanks!

-- 
Marco
_______________________________________________
stunnel-users mailing list
stunnel-users at stunnel.org
http://stunnel.mirt.net/mailman/listinfo/stunnel-users
_______________________________________________
stunnel-users mailing list
stunnel-users at stunnel.org
http://stunnel.mirt.net/mailman/listinfo/stunnel-users



More information about the stunnel-users mailing list