[stunnel-users] Transparente destination

• Previous message (by thread): [stunnel-users] How can stunnel use openssl HW cryptodev encryption
• Next message (by thread): [stunnel-users] Max Performance of Stunnel
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Sirs. I tested the stunnel client connect to a stunnel server to proxy
transparent a http traffic.

 

I used a traffic generator from Ixia (BPS), a tap to get the traffic between
stunnel´s using ntop license pf_ring (Kernel bypass) with tcpdump accessing
their libs and export pcaps from source and destination from Ixia.

 

Transparent source worked flawless easily using the information on man page.

 

Transparent destination didn´t worked. The instructions in the stunnel
documentation for each are:

/sbin/iptables -I INPUT -i client_interface -p tcp --dport 443 (I´m using
default port os https) -j ACCEPT ----- It is filter INPUT that is executed
after routing decision after nat to allow packets with destination port 443

/sbin/iptables -t nat -I PREROUTING -p tcp --dport 80 (Destination port of
http in client_interface \

        -i client_interface -j DNAT --to-destination 9.0.0.2:443 (connect
destination on server Stunnel)

The second input in iptables is executed before the routing decision and
that is the problem. Looking the hit count of in iptables the nat table
PREROUTING always have a hit but the filter table  filter INPUT doesn´t.

I set a policy routing to delivey packets to 9.0.0.2:443 to local process
and the filter table  filter INPUT started to receive the hit in the
counters as well but stunnel didn´t worked.

If I change the connect destination address to local interface 9.0.0.1:443 I
do not need the pocily routing since it´s local but Stunnel did not worked
too.

The stunnel configuration for the client is bellow:

#setgid = root

#setuid = root

debug = 7

log = overwrite

syslog = no

output = /root/stunnel.log

;engine = ENGINE_ID

;engineCtrl = COMMAND[:PARAMETER]

;engineDefault = TASK_LIST

 

[http]

client = yes

accept = 6.0.0.1:80

;connect = 9.0.0.2:443

ciphers = AES128-GCM-SHA256

requireCert = no

sslVersion = TLSv1.2

transparent = destination

 

At the end I´d like to use both source and destination but I´m testing
separated.

Does anyone know if there is a bug related or if there is a version working
fine?

Even with a lot o resource I don´t have more what to do about and any help
would be appreciated.

Luis Monteiro

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.stunnel.org/pipermail/stunnel-users/attachments/20190117/7dfdb648/attachment.html>

• Previous message (by thread): [stunnel-users] How can stunnel use openssl HW cryptodev encryption
• Next message (by thread): [stunnel-users] Max Performance of Stunnel
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]