Hi,

 

we would like to use stunnel in transpartent mode. Therefore we already applied iptable changes as mentioned in the man page :

 

Re-write address to appear as if wrapped daemon is connecting from the SSL client machine instead of the machine running stunnel.

 

           This option is currently available in:

 

               remote mode (I<connect> option) on Linux >=2.6.28

 

           Linux >=2.6.28 requires the following setup for iptables and routing (possibly in /etc/rc.local or equivalent file):

 

               iptables -t mangle -N DIVERT

               iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT

               iptables -t mangle -A DIVERT -j MARK --set-mark 1

               iptables -t mangle -A DIVERT -j ACCEPT

               ip rule add fwmark 1 lookup 100

               ip route add local 0.0.0.0/0 dev lo table 100

 

However the connection to the services cannot be established and we run into a timeout.

 

 

2015.02.09 10:00:03 LOG7[6658:139940568909760]: ldaps-in accepted FD=12 from xxxxxx:51018

2015.02.09 10:00:03 LOG7[6658:139940568905472]: ldaps-in started

2015.02.09 10:00:03 LOG7[6658:139940568905472]: FD 12 in non-blocking mode

2015.02.09 10:00:03 LOG7[6658:139940568905472]: Waiting for a libwrap process

2015.02.09 10:00:03 LOG7[6658:139940568905472]: Acquired libwrap process #0

2015.02.09 10:00:03 LOG7[6658:139940568905472]: Releasing libwrap process #0

2015.02.09 10:00:03 LOG7[6658:139940568905472]: Released libwrap process #0

2015.02.09 10:00:03 LOG7[6658:139940568905472]: ldaps-in permitted by libwrap from xxxxxxx:51018

2015.02.09 10:00:03 LOG5[6658:139940568905472]: ldaps-in accepted connection from xxxxxxx:51018

2015.02.09 10:00:03 LOG7[6658:139940568905472]: SSL state (accept): before/accept initialization

2015.02.09 10:00:03 LOG7[6658:139940568905472]: SSL state (accept): SSLv3 read client hello A

2015.02.09 10:00:03 LOG7[6658:139940568905472]: SSL state (accept): SSLv3 write server hello A

2015.02.09 10:00:03 LOG7[6658:139940568905472]: SSL state (accept): SSLv3 write certificate A

2015.02.09 10:00:03 LOG7[6658:139940568905472]: SSL state (accept): SSLv3 write server done A

2015.02.09 10:00:03 LOG7[6658:139940568905472]: SSL state (accept): SSLv3 flush data

2015.02.09 10:00:03 LOG7[6658:139940568905472]: SSL state (accept): SSLv3 read client key exchange A

2015.02.09 10:00:03 LOG7[6658:139940568905472]: SSL state (accept): SSLv3 read finished A

2015.02.09 10:00:03 LOG7[6658:139940568905472]: SSL state (accept): SSLv3 write change cipher spec A

2015.02.09 10:00:03 LOG7[6658:139940568905472]: SSL state (accept): SSLv3 write finished A

2015.02.09 10:00:03 LOG7[6658:139940568905472]: SSL state (accept): SSLv3 flush data

2015.02.09 10:00:03 LOG7[6658:139940568905472]:    1 items in the session cache

2015.02.09 10:00:03 LOG7[6658:139940568905472]:    0 client connects (SSL_connect())

2015.02.09 10:00:03 LOG7[6658:139940568905472]:    0 client connects that finished

2015.02.09 10:00:03 LOG7[6658:139940568905472]:    0 client renegotiations requested

2015.02.09 10:00:03 LOG7[6658:139940568905472]:    1 server connects (SSL_accept())

2015.02.09 10:00:03 LOG7[6658:139940568905472]:    1 server connects that finished

2015.02.09 10:00:03 LOG7[6658:139940568905472]:    0 server renegotiations requested

2015.02.09 10:00:03 LOG7[6658:139940568905472]:    0 session cache hits

2015.02.09 10:00:03 LOG7[6658:139940568905472]:    0 external session cache hits

2015.02.09 10:00:03 LOG7[6658:139940568905472]:    0 session cache misses

2015.02.09 10:00:03 LOG7[6658:139940568905472]:    0 session cache timeouts

2015.02.09 10:00:03 LOG6[6658:139940568905472]: SSL accepted: new session negotiated

2015.02.09 10:00:03 LOG6[6658:139940568905472]: Negotiated ciphers: AES256-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(256) Mac=SHA1

2015.02.09 10:00:03 LOG7[6658:139940568905472]: FD 13 in non-blocking mode

2015.02.09 10:00:03 LOG6[6658:139940568905472]: local_bind succeeded on the original port

2015.02.09 10:00:03 LOG6[6658:139940568905472]: connect_blocking: connecting 127.0.0.1:10389

2015.02.09 10:00:03 LOG7[6658:139940568905472]: connect_blocking: s_poll_wait 127.0.0.1:10389: waiting 10 seconds

2015.02.09 10:00:13 LOG3[6658:139940568905472]: connect_blocking: s_poll_wait 127.0.0.1:10389: timeout

2015.02.09 10:00:13 LOG5[6658:139940568905472]: Connection reset: 0 bytes sent to SSL, 0 bytes sent to socket

2015.02.09 10:00:13 LOG7[6658:139940568905472]: ldaps-in finished (0 left)

 

Any idea why the timeout is occuring?

 

Best regards,

Shushant