[stunnel-users] Stunnel server as transparent proxy

Derek Cole derek.cole at gmail.com
Tue Oct 28 22:57:42 CET 2014


I just wanted to follow up that post showing my full set of rules. See
below:

*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
:LOGGING - [0:0]

-A INPUT -i eth0 -p tcp --dport 22 -j ACCEPT
-A INPUT -j LOG --log-prefix "All Input"
-A INPUT -i eth0 -p tcp --dport 443 -j ACCEPT
-A INPUT -i eth0 -p udp --sport 53 -j ACCEPT
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
#-A INPUT -i eth0 -p icmp -m icmp --icmp-type echo-request -j DROP
#-A INPUT -i eth0 -j InputIP
-A INPUT -i lo -j ACCEPT
-A INPUT -j LOG --log-prefix "INPUT-Drop:"
-A INPUT -j DROP

-A FORWARD -j LOG --log-prefix "All-Forwards"
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -j LOG --log-prefix "FORWARD-Drop:"
-A FORWARD -j DROP

-A OUTPUT -o eth0 -p tcp --sport 22 -j ACCEPT
-A OUTPUT -j LOG --log-prefix "All Output"
-A OUTPUT -o eth0 -p tcp --sport 443 -j ACCEPT
-A OUTPUT -o eth0 -p udp --dport 53 -j ACCEPT
-A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -o eth0 -p tcp --dport 8999 -j ACCEPT
-A OUTPUT -o eth0 -p tcp --dport 8000 -j ACCEPT
-A OUTPUT -j LOG --log-prefix "OUTPUT-Drop:"
-A OUTPUT -j DROP

COMMIT


*nat
:PREROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A PREROUTING -j LOG
-A PREROUTING -p tcp --dport 12345 -i eth0 -j DNAT --to-destination
127.0.0.1:9040

COMMIT

*mangle
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
COMMIT


On Tue, Oct 28, 2014 at 5:31 PM, Derek Cole <derek.cole at gmail.com> wrote:

> Hello,
>
> Regarding that IPtables line that is mentioned in the manpage - what is
> the redirected port?
>
> /sbin/iptables -t nat -I PREROUTING -p tcp --dport <redirected_port> \ -i
> eth0 -j DNAT --to-destination <local_ip>:<stunnel_port>
>
> I am using the stunnel configuration I posted in the first email, and I
> want traffic on the stunnel server to end up at localhost:9040 so I think I
> would use that as the --to-destination, but I am unsure what to put in the
> --dport. Is that going to be any port that I may be connecting to
> transparently (i.e. if I am using this as a web browser, would it be 80,
> 8000, 8080, etc?)
>
> On Thu, Oct 23, 2014 at 12:13 PM, Derek Cole <derek.cole at gmail.com> wrote:
>
>> Thanks for the reply. Is this the normal way people would do this, or
>> would you normally just run an stunnel in client mode on that server, and
>> have firefox connect to it, which would then be able to transparently proxy
>> to the internet?
>>
>> Or is it pretty much always necessary to be running some actual proxy
>> software, regardless whether stunnel is in client or server mode?
>>
>>
>>
>> On Thu, Oct 23, 2014 at 11:26 AM, Suresh Ramasamy <suresh at drsuresh.net>
>> wrote:
>>
>>> Hi Derek,
>>>
>>> You will need a proxy software on your server as the endpoint. (For e.g.
>>> squid)
>>>
>>> If you are emulating a VPN, then you'd need a VPN software (OpenVPN) as
>>> the endpoint.
>>> On 23 Oct 2014 22:08, "Derek Cole" <derek.cole at gmail.com> wrote:
>>>
>>>> Hello,
>>>>
>>>> Is it possible to use stunnel server as a transparent proxy? I was
>>>> digging through the manpage and I see the
>>>>
>>>> transparent=
>>>>
>>>> option. What I would like to do is have an stunnel client connect to
>>>> the stunnel server, and once traffic is at the server, go to the original
>>>> destination that the traffic going to the stunnel client was destined for.
>>>>
>>>> I.E. Can I have firefox proxy to my stunnel client, which connects to
>>>> my stunnel server, and then that traffic goes to whatever website the end
>>>> user was trying to hit in firefox?
>>>>
>>>>
>>>> My Stunnel server is on a CentOS box:
>>>>
>>>> [root at CentOSTunTest ~]# uname -a
>>>> Linux CentOSTunTest 2.6.32-431.el6.x86_64 #1 SMP Fri Nov 22 03:15:09
>>>> UTC 2013 x86_64 x86_64 x86_64 GNU/Linux
>>>>
>>>> And my stunnel.conf
>>>>
>>>> foreground = yes
>>>>> debug = 7
>>>>> options = NO_SSLv2
>>>>> fips = no
>>>>> output=/usr/local/etc/stunnel/stunnel.log
>>>>>
>>>>>
>>>>> [https]
>>>>> cert=/usr/local/etc/stunnel/stunnel.pem
>>>>> accept = 443
>>>>> connect = 80
>>>>>
>>>>> [Internet]
>>>>> cert=/usr/local/etc/stunnel/stunnel.pem
>>>>> sni = https:Internet
>>>>> transparent=destination
>>>>>
>>>>
>>>>
>>>> So basically in the transparent option is Internet is what I am
>>>> wondering if it works the way I expect. I see this in the log file:
>>>>
>>>> 2014.10.23 09:57:05 LOG3[11414]: setsockopt SO_ORIGINAL_DST: Protocol
>>>> not available (92)
>>>> 2014.10.23 09:57:05 LOG5[11414]: Connection reset: 0 byte(s) sent to
>>>> SSL, 0 byte(s) sent to socket
>>>>
>>>> I see this in the stunnel manpage:
>>>>
>>>> For a connect target installed on the same host:
>>>>
>>>>     /sbin/iptables -t nat -I OUTPUT -p tcp --dport <redirected_port> \
>>>>         -m ! --uid-owner <stunnel_user_id> \
>>>>         -j DNAT --to-destination <local_ip>:<stunnel_port>
>>>>
>>>> For a connect target installed on a remote host:
>>>>
>>>> /sbin/iptables -I INPUT -i eth0 -p tcp --dport <stunnel_port> -j ACCEPT
>>>> /sbin/iptables -t nat -I PREROUTING -p tcp --dport <redirected_port> \ -i
>>>> eth0 -j DNAT --to-destination <local_ip>:<stunnel_port>
>>>>
>>>>
>>>> What does it mean "for a connect target installed on the same host"
>>>> I thought transparent meant I was not using a connect target except the original destination. Does this mean I should implement the IPTables for a remote host, since I want my client to just reach the internet?
>>>>
>>>>
>>>> Thanks for the help in advance!
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> stunnel-users mailing list
>>>> stunnel-users at stunnel.org
>>>> https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
>>>>
>>>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.stunnel.org/pipermail/stunnel-users/attachments/20141028/2b664e00/attachment-0001.html>


More information about the stunnel-users mailing list