[stunnel-users] transparent = source, not working (solved)
Rubén Cardenal
cosas at ruben.cn
Sun Aug 4 11:46:23 CEST 2013
El 04/08/13 09:05, Michal Trojnara escribió:
> The very purpose of of "transparent = source" is to make your server
> think it's connected directly by the clients. The returning packets
> obviously need to be routed back through the stunnel box to achieve
> this purpose. Otherwise the mangle PREROUTING tricks wouldn't make
> sense, would they?
Yep. That's why the "need to be on separate boxes" part seemed strange
to me. As the incoming connections are from any, the only option would
be the stunnel box being the gw for the service box. So I added a static
route in the service box for my home IP via the stunnel box, and in that
case, of course it works. But it's not a practical solution.
I've found the way of making it work without needing to alter that
default gateway. Apart from the configurations to be done in the stunnel
box, in the service box:
iptables -t mangle -I OUTPUT -p tcp --sport SERVICE_PORT -s SERVICE_IP
-j MARK --set-mark 1 (this can be tweaked in every single case to
granularly catch only desired packets)
ip rule add fwmark 1 lookup 100
ip route add 0.0.0.0/0 via STUNNEL_IP table 100 (other people might need
to add "dev XXX")
Note: /proc/sys/net/ipv4/ip_forward doesn't need to be touched in any of
the boxes.
>
> Using this feature is quite easy at the user-space level (this is what
> stunnel handles), but quite tricky at the kernel level (netfilter and
> routing configuration). A good HOWTO would be very useful.
Indeed! Thanks for the hints ;)
Regards,
Rubén.
More information about the stunnel-users
mailing list