On 2013-01-24 01:45, Alex Needham wrote:

Config B - Not so good

connect = 192.168.1.1:80 <- inside interface of stunnel box

iptables -t mangle -N DIVERT
iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT
iptables -t mangle -A DIVERT -j MARK --set-mark 1
iptables -t mangle -A DIVERT -j ACCEPT
ip rule add fwmark 1 lookup 100
ip route add local 0.0.0.0/0 dev lo table 100

/etc/sysctl.conf

no route filtering and forwarding is on

am i trying something impossible? or am i missing something?

Returning packets originated from a local process never reach PREROUTING table:
http://www.sysresccd.org/Sysresccd-Networking-EN-Destination-port-routing#Overview_of_the_routing
As the result they are routed to the client directly rather than via stunnel.

I don't think it's possible to route packets directly from one local process to another local process.
I'd try to use the OUTPUT chain to redirect packets to a virtual interface (e.g. GRE), and then PREROUTING could catch packets the other side of the tunnel.

BTW: tcpdump is your friend!

Mike