Re: [Shorewall-users] Configuration for a HTTP to HTTPS tunnel.

Sun, 14 Jan 2018 18:12:48 -0800 

I use a REDIRECT to ensure all DNS traffic goes to my server which is
running Shorewall and named.
rules:
?COMMENT domain
REDIRECT    lan4,wifi    domain        tcp,udp domain        # no 'self serve' 
allowed

This creates these iptables -t nat entries (it also creates the ACCEPT entries):
    6   312 REDIRECT   tcp  --  * *       0.0.0.0/0            0.0.0.0/0        
    tcp dpt:53 /* domain */ redir ports 53
 197K   14M REDIRECT   udp  --  *      * 0.0.0.0/0            0.0.0.0/0         
   udp dpt:53 /* domain */ redir ports 53

BTW, http and https are using both TCP and UDP these days.  You might
try (replace zone? with your zone):
?COMMENT stunnel
REDIRECT    zone?    954        tcp,udp    https


Bill

On 1/14/2018 3:32 PM, pe...@easthope.ca wrote:

Hello,

I'm interested to configure stunnel and shorewall to allow a local
non-TLS Web browser to receive pages from a remote server providing
only HTTPS.   My intention is for the non-TLS browser to address
http://www.stunnel.org:954/ and receive the page from
https://www.stunnel.org:443/ .  Port 954 was chosen because, according
to https://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers , it
is not assigned.

The browser should continue to receive http://shorewall.net/ without
port translation.  Ie. http://shorewall.net/ would mean
http://shorewall.net:80/ .

In my limited understanding,
https://www.stunnel.org/static/stunnel.html suggests this
configuration and iptables usage.

; /etc/stunnel/stunnel.conf
     [transparent]
     client = yes
     accept = 127.0.0.1:954
     transparent = destination

# iptables commands.
     /sbin/iptables -I INPUT -i eth0 -p tcp --dport 954 -j ACCEPT
     /sbin/iptables -t nat -I PREROUTING -p tcp --dport 443 \
         -i eth0 -j DNAT --to-destination 127.0.0.1:954
I need help with shorewall configuration equivalent to the two 
commands.  A DNAT rule must be needed but help is needed with
specifics.

Thanks,           ... Peter E.



------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Reply via email to