Skip to content

Instantly share code, notes, and snippets.

@Informatic
Created July 22, 2018 10:20
Show Gist options
  • Save Informatic/2034898bc404ea99f322dd0fdfe43878 to your computer and use it in GitHub Desktop.
Save Informatic/2034898bc404ea99f322dd0fdfe43878 to your computer and use it in GitHub Desktop.
stunnel transparent proxy (server) on localhost. use transparent=source; connect=127.1.1.1:... in stunnel configuration (mostly borrowed from sslh documentation)
#!/bin/bash
set -e
# Set route_localnet = 1 on all interfaces so that ssl can use "localhost" as
# destination
sysctl -w net.ipv4.conf.default.route_localnet=1
sysctl -w net.ipv4.conf.all.route_localnet=1
# DROP martian packets as they would have been if route_localnet was zero
# Note: packets not leaving the server aren't affected by this, thus sslh/stunnel will
# still work
iptables -t raw -A PREROUTING ! -i lo -d 127.0.0.0/8 -j DROP
iptables -t mangle -A POSTROUTING ! -o lo -s 127.0.0.0/8 -j DROP
# Mark all connections made by ssl for special treatment (here stunnel connects to 127.1.1.1)
iptables -t nat -A OUTPUT -d 127.1.1.1 -p tcp --tcp-flags FIN,SYN,RST,ACK SYN -j CONNMARK --set-xmark 0x01/0x0f
# Outgoing packets that should go to sslh/stunnel instead have to be rerouted, so mark
# them accordingly (copying over the connection mark)
iptables -t mangle -A OUTPUT ! -o lo -p tcp -m connmark --mark 0x01/0x0f -j CONNMARK --restore-mark --mask 0x0f
# Configure routing for those marked packets
ip rule add fwmark 0x1 lookup 100
ip route add local 0.0.0.0/0 dev lo table 100
@baptx
Copy link

baptx commented Apr 12, 2020

Hi, any idea how to use transparent proxy with sslh / stunnel using IPv6? Your example works for IPv4 only.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment