[stunnel-users] Stunnel in transparent mode

Luis Monteiro luis.monteiro440 at gmail.com
Tue Jan 15 03:01:57 CET 2019


Hi fellows.

I´m from Brazil and I´m trying to use Stunnel as a TLS proxy in a bed test
environment. I´m using a traffic generator from Ixia (Breakingpoint).

The bed test is:

 

|-------------------|              6.0.0.1  |-------------------|9.0.0.1
9.0.0.2|--------------------|7.0.0.2
|--------------------|

| Client 6.0.0.2 |>>>>>>>>>>>>| Stunnel Client|>>>>>>>>>>>>>>>>>>| Stunnel
Server|>>>>>>>>>>>>>>>>>> | Server 7.0.0.2 |

|-------------------|              ens224 |-------------------|ens192
ens224|--------------------|ens192
|--------------------|

 

I´m capturing the packets in all 3 points so I can see exactly what is
happening.

I tested without transparent proxy and worked fine.

I test with transparent = source with the additional conf bellow in both
Stunnel and worked fine as well.

iptables -t mangle -N DIVERT

iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT

iptables -t mangle -A DIVERT -j MARK --set-mark 1

iptables -t mangle -A DIVERT -j ACCEPT

ip rule add fwmark 1 lookup 100

ip route add local 0.0.0.0/0 dev lo table 100

echo 0 >/proc/sys/net/ipv4/conf/lo/rp_filter

iptables -t nat -A PREROUTING -i ens224 -p tcp --dport 80 -j DNAT
--to-destination 6.0.0.1:8080

 

I tested transparent = destination with several modification from the config
bellow without success. No conf delivery packets with 7.0.0.2:443 on the
Stunnel Client ens192 via 9.0.0.1 to be accept on Stunnel server
9.0.0.2:443.

/sbin/iptables -I INPUT -i ens192 -p tcp --dport 8080 -j ACCEPT

/sbin/iptables -t nat -I PREROUTING -p tcp --dport 443 \

        -i ens192 -j DNAT --to-destination 9.0.0.1:443

Any help to show me what is wrong would be appreciated.

Thanks in advanced,

Luis Monteiro

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.stunnel.org/pipermail/stunnel-users/attachments/20190115/8e2aafe7/attachment.html>


More information about the stunnel-users mailing list