Sirs. I tested the stunnel client connect to a stunnel server to proxy transparent a http traffic.

 

I used a traffic generator from Ixia (BPS), a tap to get the traffic between stunnelīs using ntop license pf_ring (Kernel bypass) with tcpdump accessing their libs and export pcaps from source and destination from Ixia.

 

Transparent source worked flawless easily using the information on man page.

 

Transparent destination didnīt worked. The instructions in the stunnel documentation for each are:

/sbin/iptables -I INPUT -i client_interface -p tcp --dport 443 (Iīm using default port os https) -j ACCEPT ----- It is filter INPUT that is executed after routing decision after nat to allow packets with destination port 443

/sbin/iptables -t nat -I PREROUTING -p tcp --dport 80 (Destination port of http in client_interface \

        -i client_interface -j DNAT --to-destination 9.0.0.2:443 (connect destination on server Stunnel)

The second input in iptables is executed before the routing decision and that is the problem. Looking the hit count of in iptables the nat table PREROUTING always have a hit but the filter table  filter INPUT doesnīt.

I set a policy routing to delivey packets to 9.0.0.2:443 to local process and the filter table  filter INPUT started to receive the hit in the counters as well but stunnel didnīt worked.

If I change the connect destination address to local interface 9.0.0.1:443 I do not need the pocily routing since itīs local but Stunnel did not worked too.

The stunnel configuration for the client is bellow:

#setgid = root

#setuid = root

debug = 7

log = overwrite

syslog = no

output = /root/stunnel.log

;engine = ENGINE_ID

;engineCtrl = COMMAND[:PARAMETER]

;engineDefault = TASK_LIST

 

[http]

client = yes

accept = 6.0.0.1:80

;connect = 9.0.0.2:443

ciphers = AES128-GCM-SHA256

requireCert = no

sslVersion = TLSv1.2

transparent = destination

 

At the end Iīd like to use both source and destination but Iīm testing separated.

Does anyone know if there is a bug related or if there is a version working fine?

Even with a lot o resource I donīt have more what to do about and any help would be appreciated.

Luis Monteiro