[stunnel-users] transparent = source, not working
Rubén Cardenal
cosas at ruben.cn
Sat Aug 3 20:29:53 CEST 2013
Forgot to say: 2.6.32-5 & Debian 6.0
Rubén.
El 03.08.2013 20:24, Ruben Cardenal escribió:
> Hi,
>
> I'm trying to setup yet another service of this kind. I've seen this has
> been largely discussed several times on this list (but without valid
> solutions), and I'm writting this email as some kind of last resort
> after hours of testing and debugging.
>
> Pretty simple configuration:
>
> # cat /etc/stunnel/stunnel.conf
> cert = /etc/ssl/certs/stunnel4/my-cert.crt
> key = /etc/ssl/certs/stunnel4/my-cert.key
>
> sslVersion = SSLv3
> foreground = yes
> pid = /tmp/stunnel4.pid
>
> socket = l:TCP_NODELAY=1
> socket = r:TCP_NODELAY=1
>
> debug = 7
> output = /var/log/stunnel.log
>
> [service]
> accept = 195.78.X.X:6697
> connect = 195.78.X.X:1357
> transparent = source
>
> Accept and connect IP's are the same.
>
> # /usr/local/bin/stunnel -version
> stunnel 4.56 on i686-pc-linux-gnu platform
> Compiled/running with OpenSSL 0.9.8o 01 Jun 2010
> Threading:PTHREAD Sockets:POLL,IPv6 SSL:ENGINE,OCSP
>
> Global options:
> debug = daemon.notice
> pid = /usr/local/var/run/stunnel/stunnel.pid
> RNDbytes = 64
> RNDfile = /dev/urandom
> RNDoverwrite = yes
>
> Service-level options:
> ciphers = ALL:!SSLv2:!aNULL:!EXP:!LOW:-MEDIUM:RC4:+HIGH
> curve = prime256v1
> sessionCacheSize = 1000
> sessionCacheTimeout = 300 seconds
> sslVersion = TLSv1 for client, all for server
> stack = 65536 bytes
> TIMEOUTbusy = 300 seconds
> TIMEOUTclose = 60 seconds
> TIMEOUTconnect = 10 seconds
> TIMEOUTidle = 43200 seconds
> verify = none
>
> # /usr/local/bin/stunnel -sockets
> stunnel 4.56 on i686-pc-linux-gnu platform
> Compiled/running with OpenSSL 0.9.8o 01 Jun 2010
> Threading:PTHREAD Sockets:POLL,IPv6 SSL:ENGINE,OCSP
>
> Socket option defaults:
> Option Name | Accept | Local | Remote |OS default
> ----------------+----------+----------+----------+----------
> SO_DEBUG | -- | -- | -- | no
> SO_DONTROUTE | -- | -- | -- | no
> SO_KEEPALIVE | -- | -- | -- | no
> SO_LINGER | -- | -- | -- | 0:0
> SO_OOBINLINE | -- | -- | -- | no
> SO_RCVBUF | -- | -- | -- | 87380
> SO_SNDBUF | -- | -- | -- | 65536
> SO_RCVLOWAT | -- | -- | -- | 1
> SO_SNDLOWAT | -- | -- | -- | 1
> SO_RCVTIMEO | -- | -- | -- | 0:0
> SO_SNDTIMEO | -- | -- | -- | 0:0
> SO_REUSEADDR | yes| -- | -- | no
> SO_BINDTODEVICE | -- | -- | -- |write-only
> TCP_KEEPCNT | -- | -- | -- | 9
> TCP_KEEPIDLE | -- | -- | -- | 7200
> TCP_KEEPINTVL | -- | -- | -- | 75
> IP_TOS | -- | -- | -- | 0
> IP_TTL | -- | -- | -- | 64
> TCP_NODELAY | -- | yes| yes| no
> IP_FREEBIND | -- | -- | -- | no
>
> And the timeout, the same I've seen suffering to other people:
>
> 2013.08.03 19:52:12 LOG7[18496:3074533056]: Service [service] accepted
> (FD=3) from MY_HOME_ADDRESS:34836
> 2013.08.03 19:52:12 LOG7[18496:3074530160]: Service [service] started
> 2013.08.03 19:52:12 LOG5[18496:3074530160]: Service [service] accepted
> connection from MY_HOME_ADDRESS:34836
> (blah blah ssl stuff)
> 2013.08.03 19:52:12 LOG6[18496:3074530160]: Negotiated TLSv1/SSLv3
> ciphersuite: DHE-RSA-AES256-SHA (256-bit encryption)
> 2013.08.03 19:52:12 LOG6[18496:3074530160]: Compression: null,
> expansion: null
> 2013.08.03 19:52:12 LOG6[18496:3074530160]: IP_TRANSPARENT socket option set
> 2013.08.03 19:52:12 LOG6[18496:3074530160]: local_bind succeeded on the
> original port
> 2013.08.03 19:52:12 LOG6[18496:3074530160]: connect_blocking: connecting
> 195.78.X.X:1357
> 2013.08.03 19:52:12 LOG7[18496:3074530160]: connect_blocking:
> s_poll_wait 195.78.X.X:1357: waiting 60 seconds
> 2013.08.03 19:52:21 LOG3[18496:3074530160]: connect_blocking: connect
> 195.78.X.X:1357: Connection timed out (110)
> 2013.08.03 19:52:21 LOG5[18496:3074530160]: Connection reset: 0 byte(s)
> sent to SSL, 0 byte(s) sent to socket
>
> iptables stuff and that, is in place:
>
> # cat /proc/sys/net/ipv4/conf/all/rp_filter
> 0
> # cat /proc/sys/net/ipv4/ip_forward
> 1
>
> And did the iptables part:
>
> iptables -t mangle -N DIVERT
> iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT
> iptables -t mangle -A DIVERT -j MARK --set-mark 1
> iptables -t mangle -A DIVERT -j ACCEPT
> ip rule add fwmark 1 lookup 100
> ip route add local 0.0.0.0/0 dev lo table 100
>
> Debugging the whole thing, it can be seen that stunnel tries to connect:
>
> [pid 16823] connect(9, {sa_family=AF_INET, sin_port=htons(1357),
> sin_addr=inet_addr("195.78.X.X")}, 16) = -1 EINPROGRESS (Operation now
> in progress)
>
> BUT the service running in 1357 does this:
>
> # tcpdump -i eth1 -n port 1357
> tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
> listening on eth1, link-type EN10MB (Ethernet), capture size 65535 bytes
> 19:52:52.586773 IP 195.78.X.X.1357 > MY_HOME_ADDRESS.34853: Flags [S.],
> seq 2655966098, ack 546202865, win 5840, options [mss
> 1460,nop,nop,sackOK], length 0
>
> And, according to that, it looks obvious to me that this setup will
> never work, since that ACK packet goes to my home box, and not to the
> local connection.
>
> So either I'm doing something wrong (I hope I am!!) or this thing
> definitely doesn't work...
>
> Any help/ideas/whatever, please?
>
> Thanks,
>
> Rubén.
>
> _______________________________________________
> stunnel-users mailing list
> stunnel-users at stunnel.org
> https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users [1]
Links:
------
[1] https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.stunnel.org/pipermail/stunnel-users/attachments/20130803/fd6e044a/attachment.html>
More information about the stunnel-users
mailing list