[stunnel-users] transparent = source, not working

• Previous message (by thread): [stunnel-users] transparent = source, not working
• Next message (by thread): [stunnel-users] transparent = source, not working
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

El 03/08/13 21:39, Michal Trojnara escribió:
> On 2013-08-03 20:24, Ruben Cardenal wrote:
>> And did the iptables part:
>>
>> iptables -t mangle -N DIVERT
>> iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT
>> iptables -t mangle -A DIVERT -j MARK --set-mark 1
>> iptables -t mangle -A DIVERT -j ACCEPT
>> ip rule add fwmark 1 lookup 100
>> ip route add local 0.0.0.0/0 dev lo table 100
>>
>> Debugging the whole thing, it can be seen that stunnel tries to connect:
>>
>> [pid 16823] connect(9, {sa_family=AF_INET, sin_port=htons(1357),
>> sin_addr=inet_addr("195.78.X.X")}, 16) = -1 EINPROGRESS (Operation now
>> in progress)
>>
>> BUT the service running in 1357 does this:
>>
>> # tcpdump -i eth1 -n port 1357
>> tcpdump: verbose output suppressed, use -v or -vv for full protocol
>> decode
>> listening on eth1, link-type EN10MB (Ethernet), capture size 65535 bytes
>> 19:52:52.586773 IP 195.78.X.X.1357 > MY_HOME_ADDRESS.34853: Flags
>> [S.], seq 2655966098, ack 546202865, win 5840, options [mss
>> 1460,nop,nop,sackOK], length 0
> It looks like you configured your server and stunnel on the same host.
> As the result returning packets won't ever hit the PREROUTING chain of
> the mangle table, thus stunnel won't receive them.
> http://www.iptables.info/en/structure-of-iptables.html
>
> I'm sure the documentation I wrote could be better...
>
> Mike
>

Hi Mike,

I've given a try to what you say. I've moved stunnel to another box, 
while leaving the service where it was. Removed iptables stuff from the 
service's box, and leaving there just the backend service. In the new 
box, compiled the same last stunnel version and used the same 
configuration, changing only the connect part, applying iptables, etc. 
And this is what is seen (please note both servers are in perfect ntp sync):

stunnel log, same thing, only changing connect IP:

2013.08.03 23:23:09 LOG6[26792:139762318628608]: connect_blocking: 
connecting SERVICE:1357
2013.08.03 23:23:09 LOG7[26792:139762318628608]: connect_blocking: 
s_poll_wait SERVICE:1357: waiting 10 seconds
2013.08.03 23:23:18 LOG3[26792:139762318628608]: connect_blocking: 
connect SERVICE:1357: Connection timed out (110)
2013.08.03 23:23:18 LOG5[26792:139762318628608]: Connection reset: 0 
byte(s) sent to SSL, 0 byte(s) sent to socket

stunnel process:

[pid   569] 23:23:09 bind(9, {sa_family=AF_INET, sin_port=htons(50573), 
sin_addr=inet_addr("HOME")}, 16) = 0
[pid   569] 23:23:09 sendto(6, "<30>Aug  3 23:23:49 stunnel: 
LOG6[534:140271099127552]: local_bind succeeded on the original port", 
97, MSG_NOSIGNAL, NULL, 0) = 97

[pid   569] 23:23:09 write(8, "2013.08.03 23:23:09 
LOG6[534:140271099127552]: connect_blocking: connecting SERVICE:1357\n", 
96) = 96
[pid   569] 23:23:09 connect(9, {sa_family=AF_INET, 
sin_port=htons(1357), sin_addr=inet_addr("SERVICE")}, 16) = -1 
EINPROGRESS (Operation now in progress)


tcpdump in service's box:

23:23:09.015940 IP MYHOME.50573 > SERVICE.1357: Flags [S], seq 
3062456285, win 5840, options [mss 1460,nop,nop,sackOK], length 0
23:23:09.015969 IP SERVICE.1357 > MYHOME.50573: Flags [S.], seq 
3120433945, ack 3062456286, win 5840, options [mss 1460,nop,nop,sackOK], 
length 0
23:23:12.013679 IP MYHOME.50573 > SERVICE.1357: Flags [S], seq 
3062456285, win 5840, options [mss 1460,nop,nop,sackOK], length 0
23:23:12.013701 IP SERVICE.1357 > MYHOME.50573: Flags [S.], seq 
3120433945, ack 3062456286, win 5840, options [mss 1460,nop,nop,sackOK], 
length 0
23:23:12.813537 IP SERVICE.1357 > MYHOME.50573: Flags [S.], seq 
3120433945, ack 3062456286, win 5840, options [mss 1460,nop,nop,sackOK], 
length 0
23:23:18.817538 IP SERVICE.1357 > MYHOME.50573: Flags [S.], seq 
3120433945, ack 3062456286, win 5840, options [mss 1460,nop,nop,sackOK], 
length 0


tcpdump in stunnel's box:

23:23:08.343486 IP MYHOME.50573 > STUNNEL.6697: Flags [S], seq 
1065154599, win 14600, options [mss 1452,sackOK,TS val 121378180 ecr 
0,nop,wscale 7], length 0
23:23:08.343547 IP STUNNEL.6697 > MYHOME.50573: Flags [S.], seq 
40478691, ack 1065154600, win 5840, options [mss 1460,nop,nop,sackOK], 
length 0
23:23:08.363058 IP MYHOME.50573 > STUNNEL.6697: Flags [.], ack 1, win 
14600, length 0
23:23:08.678217 IP MYHOME.50573 > STUNNEL.6697: Flags [P.], seq 1:151, 
ack 1, win 14600, length 150
23:23:08.678271 IP STUNNEL.6697 > MYHOME.50573: Flags [.], ack 151, win 
6432, length 0
23:23:08.682553 IP STUNNEL.6697 > MYHOME.50573: Flags [.], seq 1:1453, 
ack 151, win 6432, length 1452
23:23:08.682566 IP STUNNEL.6697 > MYHOME.50573: Flags [P.], seq 
1453:1809, ack 151, win 6432, length 356
23:23:08.697844 IP MYHOME.50573 > STUNNEL.6697: Flags [.], ack 1809, win 
17424, length 0
23:23:08.993183 IP MYHOME.50573 > STUNNEL.6697: Flags [P.], seq 151:493, 
ack 1809, win 17424, length 342
23:23:09.006506 IP STUNNEL.6697 > MYHOME.50573: Flags [P.], seq 
1809:1884, ack 493, win 7504, length 75
*23:23:09.007004 IP MYHOME.50573 > SERVICE.1357: Flags [S], seq 
3062456285, win 5840, options [mss 1460,nop,nop,sackOK], length 0*
23:23:09.022762 IP MYHOME.50573 > STUNNEL.6697: Flags [.], ack 1884, win 
17424, length 0
23:23:09.278792 IP MYHOME.50573 > STUNNEL.6697: Flags [P.], seq 493:567, 
ack 1884, win 17424, length 74
23:23:09.316716 IP STUNNEL.6697 > MYHOME.50573: Flags [.], ack 567, win 
7504, length 0
23:23:09.328032 IP MYHOME.50573 > STUNNEL.6697: Flags [P.], seq 567:689, 
ack 1884, win 17424, length 122
23:23:09.328073 IP STUNNEL.6697 > MYHOME.50573: Flags [.], ack 689, win 
7504, length 0
*23:23:12.004564 IP MYHOME.50573 > SERVICE.1357: Flags [S], seq 
3062456285, win 5840, options [mss 1460,nop,nop,sackOK], length 0*
23:23:18.006575 IP STUNNEL.6697 > MYHOME.50573: Flags [R.], seq 1884, 
ack 689, win 7504, length 0


In bold the 2 SYN packets present in stunnel's tcpdump towards the 
service's box. The rest of the traffic. between MYHOME and STUNNEL, is 
just part of the SSL negotiation.

So: service's box receives a SYN packet from my home IP address 
(originated from stunnel's box), and answers with a proper ACK packet. 
That's ok. But as that ACK reply has as destination an external IP, goes 
to the box's default gateway (and not to the box where stunnel is 
running) and gets lost.

So unless I'm missing something, I think that kind both remote service 
and stunnel should be in the same server for this to work (as a 
minimun). Which leaves me in the same place I started with :(

Rubén.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.stunnel.org/pipermail/stunnel-users/attachments/20130804/fd3978ef/attachment.html>

• Previous message (by thread): [stunnel-users] transparent = source, not working
• Next message (by thread): [stunnel-users] transparent = source, not working
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]