[stunnel-users] transparent = source, not working
Michal Trojnara
Michal.Trojnara at mirt.net
Sat Aug 3 21:39:13 CEST 2013
On 2013-08-03 20:24, Ruben Cardenal wrote:
> And did the iptables part:
>
> iptables -t mangle -N DIVERT
> iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT
> iptables -t mangle -A DIVERT -j MARK --set-mark 1
> iptables -t mangle -A DIVERT -j ACCEPT
> ip rule add fwmark 1 lookup 100
> ip route add local 0.0.0.0/0 dev lo table 100
>
> Debugging the whole thing, it can be seen that stunnel tries to connect:
>
> [pid 16823] connect(9, {sa_family=AF_INET, sin_port=htons(1357),
> sin_addr=inet_addr("195.78.X.X")}, 16) = -1 EINPROGRESS (Operation now
> in progress)
>
> BUT the service running in 1357 does this:
>
> # tcpdump -i eth1 -n port 1357
> tcpdump: verbose output suppressed, use -v or -vv for full protocol
> decode
> listening on eth1, link-type EN10MB (Ethernet), capture size 65535 bytes
> 19:52:52.586773 IP 195.78.X.X.1357 > MY_HOME_ADDRESS.34853: Flags
> [S.], seq 2655966098, ack 546202865, win 5840, options [mss
> 1460,nop,nop,sackOK], length 0
It looks like you configured your server and stunnel on the same host.
As the result returning packets won't ever hit the PREROUTING chain of
the mangle table, thus stunnel won't receive them.
http://www.iptables.info/en/structure-of-iptables.html
I'm sure the documentation I wrote could be better...
Mike
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 196 bytes
Desc: OpenPGP digital signature
URL: <http://www.stunnel.org/pipermail/stunnel-users/attachments/20130803/812f5bfd/attachment.sig>
More information about the stunnel-users
mailing list