Hello, Regarding that IPtables line that is mentioned in the manpage - what is the redirected port?
/sbin/iptables -t nat -I PREROUTING -p tcp --dport <redirected_port> \ -i eth0 -j DNAT --to-destination <local_ip>:<stunnel_port> I am using the stunnel configuration I posted in the first email, and I want traffic on the stunnel server to end up at localhost:9040 so I think I would use that as the --to-destination, but I am unsure what to put in the --dport. Is that going to be any port that I may be connecting to transparently (i.e. if I am using this as a web browser, would it be 80, 8000, 8080, etc?) On Thu, Oct 23, 2014 at 12:13 PM, Derek Cole <[email protected]> wrote: > Thanks for the reply. Is this the normal way people would do this, or > would you normally just run an stunnel in client mode on that server, and > have firefox connect to it, which would then be able to transparently proxy > to the internet? > > Or is it pretty much always necessary to be running some actual proxy > software, regardless whether stunnel is in client or server mode? > > > > On Thu, Oct 23, 2014 at 11:26 AM, Suresh Ramasamy <[email protected]> > wrote: > >> Hi Derek, >> >> You will need a proxy software on your server as the endpoint. (For e.g. >> squid) >> >> If you are emulating a VPN, then you'd need a VPN software (OpenVPN) as >> the endpoint. >> On 23 Oct 2014 22:08, "Derek Cole" <[email protected]> wrote: >> >>> Hello, >>> >>> Is it possible to use stunnel server as a transparent proxy? I was >>> digging through the manpage and I see the >>> >>> transparent= >>> >>> option. What I would like to do is have an stunnel client connect to the >>> stunnel server, and once traffic is at the server, go to the original >>> destination that the traffic going to the stunnel client was destined for. >>> >>> I.E. Can I have firefox proxy to my stunnel client, which connects to my >>> stunnel server, and then that traffic goes to whatever website the end user >>> was trying to hit in firefox? >>> >>> >>> My Stunnel server is on a CentOS box: >>> >>> [root@CentOSTunTest ~]# uname -a >>> Linux CentOSTunTest 2.6.32-431.el6.x86_64 #1 SMP Fri Nov 22 03:15:09 UTC >>> 2013 x86_64 x86_64 x86_64 GNU/Linux >>> >>> And my stunnel.conf >>> >>> foreground = yes >>>> debug = 7 >>>> options = NO_SSLv2 >>>> fips = no >>>> output=/usr/local/etc/stunnel/stunnel.log >>>> >>>> >>>> [https] >>>> cert=/usr/local/etc/stunnel/stunnel.pem >>>> accept = 443 >>>> connect = 80 >>>> >>>> [Internet] >>>> cert=/usr/local/etc/stunnel/stunnel.pem >>>> sni = https:Internet >>>> transparent=destination >>>> >>> >>> >>> So basically in the transparent option is Internet is what I am >>> wondering if it works the way I expect. I see this in the log file: >>> >>> 2014.10.23 09:57:05 LOG3[11414]: setsockopt SO_ORIGINAL_DST: Protocol >>> not available (92) >>> 2014.10.23 09:57:05 LOG5[11414]: Connection reset: 0 byte(s) sent to >>> SSL, 0 byte(s) sent to socket >>> >>> I see this in the stunnel manpage: >>> >>> For a connect target installed on the same host: >>> >>> /sbin/iptables -t nat -I OUTPUT -p tcp --dport <redirected_port> \ >>> -m ! --uid-owner <stunnel_user_id> \ >>> -j DNAT --to-destination <local_ip>:<stunnel_port> >>> >>> For a connect target installed on a remote host: >>> >>> /sbin/iptables -I INPUT -i eth0 -p tcp --dport <stunnel_port> -j ACCEPT >>> /sbin/iptables -t nat -I PREROUTING -p tcp --dport <redirected_port> \ -i >>> eth0 -j DNAT --to-destination <local_ip>:<stunnel_port> >>> >>> >>> What does it mean "for a connect target installed on the same host" >>> I thought transparent meant I was not using a connect target except the >>> original destination. Does this mean I should implement the IPTables for a >>> remote host, since I want my client to just reach the internet? >>> >>> >>> Thanks for the help in advance! >>> >>> >>> >>> >>> >>> >>> >>> _______________________________________________ >>> stunnel-users mailing list >>> [email protected] >>> https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users >>> >>> >
_______________________________________________ stunnel-users mailing list [email protected] https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
