I just wanted to follow up that post showing my full set of rules. See below:
*filter :INPUT DROP [0:0] :FORWARD DROP [0:0] :OUTPUT DROP [0:0] :LOGGING - [0:0] -A INPUT -i eth0 -p tcp --dport 22 -j ACCEPT -A INPUT -j LOG --log-prefix "All Input" -A INPUT -i eth0 -p tcp --dport 443 -j ACCEPT -A INPUT -i eth0 -p udp --sport 53 -j ACCEPT -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT #-A INPUT -i eth0 -p icmp -m icmp --icmp-type echo-request -j DROP #-A INPUT -i eth0 -j InputIP -A INPUT -i lo -j ACCEPT -A INPUT -j LOG --log-prefix "INPUT-Drop:" -A INPUT -j DROP -A FORWARD -j LOG --log-prefix "All-Forwards" -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A FORWARD -j LOG --log-prefix "FORWARD-Drop:" -A FORWARD -j DROP -A OUTPUT -o eth0 -p tcp --sport 22 -j ACCEPT -A OUTPUT -j LOG --log-prefix "All Output" -A OUTPUT -o eth0 -p tcp --sport 443 -j ACCEPT -A OUTPUT -o eth0 -p udp --dport 53 -j ACCEPT -A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A OUTPUT -o lo -j ACCEPT -A OUTPUT -o eth0 -p tcp --dport 8999 -j ACCEPT -A OUTPUT -o eth0 -p tcp --dport 8000 -j ACCEPT -A OUTPUT -j LOG --log-prefix "OUTPUT-Drop:" -A OUTPUT -j DROP COMMIT *nat :PREROUTING ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] -A PREROUTING -j LOG -A PREROUTING -p tcp --dport 12345 -i eth0 -j DNAT --to-destination 127.0.0.1:9040 COMMIT *mangle :PREROUTING ACCEPT [0:0] :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] COMMIT On Tue, Oct 28, 2014 at 5:31 PM, Derek Cole <[email protected]> wrote: > Hello, > > Regarding that IPtables line that is mentioned in the manpage - what is > the redirected port? > > /sbin/iptables -t nat -I PREROUTING -p tcp --dport <redirected_port> \ -i > eth0 -j DNAT --to-destination <local_ip>:<stunnel_port> > > I am using the stunnel configuration I posted in the first email, and I > want traffic on the stunnel server to end up at localhost:9040 so I think I > would use that as the --to-destination, but I am unsure what to put in the > --dport. Is that going to be any port that I may be connecting to > transparently (i.e. if I am using this as a web browser, would it be 80, > 8000, 8080, etc?) > > On Thu, Oct 23, 2014 at 12:13 PM, Derek Cole <[email protected]> wrote: > >> Thanks for the reply. Is this the normal way people would do this, or >> would you normally just run an stunnel in client mode on that server, and >> have firefox connect to it, which would then be able to transparently proxy >> to the internet? >> >> Or is it pretty much always necessary to be running some actual proxy >> software, regardless whether stunnel is in client or server mode? >> >> >> >> On Thu, Oct 23, 2014 at 11:26 AM, Suresh Ramasamy <[email protected]> >> wrote: >> >>> Hi Derek, >>> >>> You will need a proxy software on your server as the endpoint. (For e.g. >>> squid) >>> >>> If you are emulating a VPN, then you'd need a VPN software (OpenVPN) as >>> the endpoint. >>> On 23 Oct 2014 22:08, "Derek Cole" <[email protected]> wrote: >>> >>>> Hello, >>>> >>>> Is it possible to use stunnel server as a transparent proxy? I was >>>> digging through the manpage and I see the >>>> >>>> transparent= >>>> >>>> option. What I would like to do is have an stunnel client connect to >>>> the stunnel server, and once traffic is at the server, go to the original >>>> destination that the traffic going to the stunnel client was destined for. >>>> >>>> I.E. Can I have firefox proxy to my stunnel client, which connects to >>>> my stunnel server, and then that traffic goes to whatever website the end >>>> user was trying to hit in firefox? >>>> >>>> >>>> My Stunnel server is on a CentOS box: >>>> >>>> [root@CentOSTunTest ~]# uname -a >>>> Linux CentOSTunTest 2.6.32-431.el6.x86_64 #1 SMP Fri Nov 22 03:15:09 >>>> UTC 2013 x86_64 x86_64 x86_64 GNU/Linux >>>> >>>> And my stunnel.conf >>>> >>>> foreground = yes >>>>> debug = 7 >>>>> options = NO_SSLv2 >>>>> fips = no >>>>> output=/usr/local/etc/stunnel/stunnel.log >>>>> >>>>> >>>>> [https] >>>>> cert=/usr/local/etc/stunnel/stunnel.pem >>>>> accept = 443 >>>>> connect = 80 >>>>> >>>>> [Internet] >>>>> cert=/usr/local/etc/stunnel/stunnel.pem >>>>> sni = https:Internet >>>>> transparent=destination >>>>> >>>> >>>> >>>> So basically in the transparent option is Internet is what I am >>>> wondering if it works the way I expect. I see this in the log file: >>>> >>>> 2014.10.23 09:57:05 LOG3[11414]: setsockopt SO_ORIGINAL_DST: Protocol >>>> not available (92) >>>> 2014.10.23 09:57:05 LOG5[11414]: Connection reset: 0 byte(s) sent to >>>> SSL, 0 byte(s) sent to socket >>>> >>>> I see this in the stunnel manpage: >>>> >>>> For a connect target installed on the same host: >>>> >>>> /sbin/iptables -t nat -I OUTPUT -p tcp --dport <redirected_port> \ >>>> -m ! --uid-owner <stunnel_user_id> \ >>>> -j DNAT --to-destination <local_ip>:<stunnel_port> >>>> >>>> For a connect target installed on a remote host: >>>> >>>> /sbin/iptables -I INPUT -i eth0 -p tcp --dport <stunnel_port> -j ACCEPT >>>> /sbin/iptables -t nat -I PREROUTING -p tcp --dport <redirected_port> \ -i >>>> eth0 -j DNAT --to-destination <local_ip>:<stunnel_port> >>>> >>>> >>>> What does it mean "for a connect target installed on the same host" >>>> I thought transparent meant I was not using a connect target except the >>>> original destination. Does this mean I should implement the IPTables for a >>>> remote host, since I want my client to just reach the internet? >>>> >>>> >>>> Thanks for the help in advance! >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> _______________________________________________ >>>> stunnel-users mailing list >>>> [email protected] >>>> https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users >>>> >>>> >> >
_______________________________________________ stunnel-users mailing list [email protected] https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
