[stunnel-users] Transparent Proxy help.
Steven Relf
srelf at ukcloud.com
Tue Jul 21 17:38:00 CEST 2020
Hello List,
I am working on a small project where I need to encrypt nfs traffic, and Stunnel looks to be ideal, the only issue I'm having is getting the transparent part to work
I have a client machine, running stunnel config below
#GLOBAL#######################################################
sslVersion = TLSv1.2
TIMEOUTidle = 600
renegotiation = no
FIPS = no
options = NO_SSLv2
options = NO_SSLv3
options = SINGLE_DH_USE
options = SINGLE_ECDH_USE
options = CIPHER_SERVER_PREFERENCE
syslog = yes
debug = 7
;chroot = /var/empty/stunnel
libwrap = yes
service = 3d-nfsd
curve = secp521r1
#CREDENTIALS##################################################
verify = 4
CAfile = /etc/stunnel/nfs-tls.pem
cert = /etc/stunnel/nfs-tls.pem
#ROLE#########################################################
client = yes
connect = fqdn:2363
and the client which is running ontop of the nfs-ganesha server config below
#GLOBAL#######################################################
TIMEOUTidle = 600
renegotiation = no
FIPS = no
options = NO_SSLv2
options = NO_SSLv3
options = SINGLE_DH_USE
options = SINGLE_ECDH_USE
options = CIPHER_SERVER_PREFERENCE
syslog = yes
debug = 7
setuid = nobody
setgid = nobody
chroot = /var/empty/stunnel
libwrap = yes
service = MC-nfsd
; cd /var/empty; mkdir -p stunnel/etc; cd stunnel/etc;
; echo 'MC-nfsd: ALL EXCEPT 5.6.7.8' >> hosts.deny;
; chcon -t stunnel_etc_t hosts.deny
curve = secp521r1
#CREDENTIALS##################################################
verify = 4
CAfile = /etc/stunnel/nfs-tls.pem
cert = /etc/stunnel/nfs-tls.pem
#ROLE#########################################################
connect = 127.0.0.1:2049
I have had a look through the documentation and I believe I need to set transparent = source on the client side, and then set some ip tables firewall rules. Does anyone have a guide, or some advice on how to get this to work. Generally what happens if I set the firewall rules, on the client, and set the transparent to source I just get connection closed by remote host. I never actually see the traffic leave the client host.
To confirm, when not using transparent everything works correctly, accept the server side sees the connection coming from 127.0.0.1
Thanks
Rgds
Steve.
The future has already arrived. It's just not evenly distributed yet - William Gibson
Steven Relf -
Technical Authority: Cloud Native Infrastructure
srelf at ukcloud.com
+44 1252 936019 / +44 7500 085 864
www.ukcloud.com
A8, Cody Technology Park, Ively Road, Farnborough, GU14 0LX
Notice: This message contains information that may be privileged or confidential and is the property of UKCloud Ltd. It is intended only for the person to whom it is addressed. If you are not the intended recipient, you are not authorised to read, print, retain, copy, disseminate, distribute, or use this message or any part thereof. If you receive this message in error, please notify the sender immediately and delete all copies of this message. UKCloud reserves the right to monitor all e-mail communications through its networks. UKCloud Ltd is registered in England and Wales: Company No: 07619797. Registered office: Hartham Park, Hartham, Corsham, Wiltshire SN13 0RP.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.stunnel.org/pipermail/stunnel-users/attachments/20200721/bf33877b/attachment-0001.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image047554.png
Type: image/png
Size: 6421 bytes
Desc: image047554.png
URL: <http://www.stunnel.org/pipermail/stunnel-users/attachments/20200721/bf33877b/attachment-0005.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image361467.png
Type: image/png
Size: 1986 bytes
Desc: image361467.png
URL: <http://www.stunnel.org/pipermail/stunnel-users/attachments/20200721/bf33877b/attachment-0006.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image659367.png
Type: image/png
Size: 2017 bytes
Desc: image659367.png
URL: <http://www.stunnel.org/pipermail/stunnel-users/attachments/20200721/bf33877b/attachment-0007.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image618123.png
Type: image/png
Size: 2290 bytes
Desc: image618123.png
URL: <http://www.stunnel.org/pipermail/stunnel-users/attachments/20200721/bf33877b/attachment-0008.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image016495.png
Type: image/png
Size: 145246 bytes
Desc: image016495.png
URL: <http://www.stunnel.org/pipermail/stunnel-users/attachments/20200721/bf33877b/attachment-0009.png>
More information about the stunnel-users
mailing list