[stunnel-users] transparent proxy ssl for a socket server

Michal Trojnara Michal.Trojnara at mirt.net
Tue Jan 29 20:48:37 CET 2013


On 2013-01-24 01:45, Alex Needham wrote:
> Config B - Not so good
> connect = 192.168.1.1:80 <http://192.168.1.1:80> <- inside interface
> of stunnel box
>
> iptables -t mangle -N DIVERT
> iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT
> iptables -t mangle -A DIVERT -j MARK --set-mark 1
> iptables -t mangle -A DIVERT -j ACCEPT
> ip rule add fwmark 1 lookup 100
> ip route add local 0.0.0.0/0 <http://0.0.0.0/0> dev lo table 100
>
> /etc/sysctl.conf
> no route filtering and forwarding is on
>
> am i trying something impossible? or am i missing something?

Returning packets originated from a local process never reach PREROUTING
table:
http://www.sysresccd.org/Sysresccd-Networking-EN-Destination-port-routing#Overview_of_the_routing
As the result they are routed to the client directly rather than via
stunnel.

I don't think it's possible to route packets directly from one local
process to another local process.
I'd try to use the OUTPUT chain to redirect packets to a virtual
interface (e.g. GRE), and then PREROUTING could catch packets the other
side of the tunnel.

BTW: tcpdump is your friend!

Mike
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.stunnel.org/pipermail/stunnel-users/attachments/20130129/3361dee8/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 196 bytes
Desc: OpenPGP digital signature
URL: <http://www.stunnel.org/pipermail/stunnel-users/attachments/20130129/3361dee8/attachment.sig>


More information about the stunnel-users mailing list