[stunnel-users] Stunnel in transparent mode
Luis Monteiro
luis.monteiro440 at gmail.com
Tue Jan 15 03:01:57 CET 2019
Hi fellows.
I´m from Brazil and I´m trying to use Stunnel as a TLS proxy in a bed test
environment. I´m using a traffic generator from Ixia (Breakingpoint).
The bed test is:
|-------------------| 6.0.0.1 |-------------------|9.0.0.1
9.0.0.2|--------------------|7.0.0.2
|--------------------|
| Client 6.0.0.2 |>>>>>>>>>>>>| Stunnel Client|>>>>>>>>>>>>>>>>>>| Stunnel
Server|>>>>>>>>>>>>>>>>>> | Server 7.0.0.2 |
|-------------------| ens224 |-------------------|ens192
ens224|--------------------|ens192
|--------------------|
I´m capturing the packets in all 3 points so I can see exactly what is
happening.
I tested without transparent proxy and worked fine.
I test with transparent = source with the additional conf bellow in both
Stunnel and worked fine as well.
iptables -t mangle -N DIVERT
iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT
iptables -t mangle -A DIVERT -j MARK --set-mark 1
iptables -t mangle -A DIVERT -j ACCEPT
ip rule add fwmark 1 lookup 100
ip route add local 0.0.0.0/0 dev lo table 100
echo 0 >/proc/sys/net/ipv4/conf/lo/rp_filter
iptables -t nat -A PREROUTING -i ens224 -p tcp --dport 80 -j DNAT
--to-destination 6.0.0.1:8080
I tested transparent = destination with several modification from the config
bellow without success. No conf delivery packets with 7.0.0.2:443 on the
Stunnel Client ens192 via 9.0.0.1 to be accept on Stunnel server
9.0.0.2:443.
/sbin/iptables -I INPUT -i ens192 -p tcp --dport 8080 -j ACCEPT
/sbin/iptables -t nat -I PREROUTING -p tcp --dport 443 \
-i ens192 -j DNAT --to-destination 9.0.0.1:443
Any help to show me what is wrong would be appreciated.
Thanks in advanced,
Luis Monteiro
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.stunnel.org/pipermail/stunnel-users/attachments/20190115/8e2aafe7/attachment.html>
More information about the stunnel-users
mailing list