[stunnel-users] Transparente destination
luis.monteiro440 at gmail.com
Thu Jan 17 20:12:44 CET 2019
Sirs. I tested the stunnel client connect to a stunnel server to proxy
transparent a http traffic.
I used a traffic generator from Ixia (BPS), a tap to get the traffic between
stunnel´s using ntop license pf_ring (Kernel bypass) with tcpdump accessing
their libs and export pcaps from source and destination from Ixia.
Transparent source worked flawless easily using the information on man page.
Transparent destination didn´t worked. The instructions in the stunnel
documentation for each are:
/sbin/iptables -I INPUT -i client_interface -p tcp --dport 443 (I´m using
default port os https) -j ACCEPT ----- It is filter INPUT that is executed
after routing decision after nat to allow packets with destination port 443
/sbin/iptables -t nat -I PREROUTING -p tcp --dport 80 (Destination port of
http in client_interface \
-i client_interface -j DNAT --to-destination 220.127.116.11:443 (connect
destination on server Stunnel)
The second input in iptables is executed before the routing decision and
that is the problem. Looking the hit count of in iptables the nat table
PREROUTING always have a hit but the filter table filter INPUT doesn´t.
I set a policy routing to delivey packets to 18.104.22.168:443 to local process
and the filter table filter INPUT started to receive the hit in the
counters as well but stunnel didn´t worked.
If I change the connect destination address to local interface 22.214.171.124:443 I
do not need the pocily routing since it´s local but Stunnel did not worked
The stunnel configuration for the client is bellow:
#setgid = root
#setuid = root
debug = 7
log = overwrite
syslog = no
output = /root/stunnel.log
;engine = ENGINE_ID
;engineCtrl = COMMAND[:PARAMETER]
;engineDefault = TASK_LIST
client = yes
accept = 126.96.36.199:80
;connect = 188.8.131.52:443
ciphers = AES128-GCM-SHA256
requireCert = no
sslVersion = TLSv1.2
transparent = destination
At the end I´d like to use both source and destination but I´m testing
Does anyone know if there is a bug related or if there is a version working
Even with a lot o resource I don´t have more what to do about and any help
would be appreciated.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the stunnel-users