[stunnel-users] transparent proxy ssl for a socket server

Michal Trojnara Michal.Trojnara at mirt.net
Tue Jan 29 20:48:37 CET 2013

On 2013-01-24 01:45, Alex Needham wrote:
> Config B - Not so good
> connect = <> <- inside interface
> of stunnel box
> iptables -t mangle -N DIVERT
> iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT
> iptables -t mangle -A DIVERT -j MARK --set-mark 1
> iptables -t mangle -A DIVERT -j ACCEPT
> ip rule add fwmark 1 lookup 100
> ip route add local <> dev lo table 100
> /etc/sysctl.conf
> no route filtering and forwarding is on
> am i trying something impossible? or am i missing something?

Returning packets originated from a local process never reach PREROUTING
As the result they are routed to the client directly rather than via

I don't think it's possible to route packets directly from one local
process to another local process.
I'd try to use the OUTPUT chain to redirect packets to a virtual
interface (e.g. GRE), and then PREROUTING could catch packets the other
side of the tunnel.

BTW: tcpdump is your friend!

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.stunnel.org/pipermail/stunnel-users/attachments/20130129/3361dee8/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 196 bytes
Desc: OpenPGP digital signature
URL: <http://www.stunnel.org/pipermail/stunnel-users/attachments/20130129/3361dee8/attachment.sig>

More information about the stunnel-users mailing list