Skip to content

Instantly share code, notes, and snippets.

Created July 22, 2018 10:20
  • Star 1 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
Star You must be signed in to star a gist
What would you like to do?
stunnel transparent proxy (server) on localhost. use transparent=source; connect= in stunnel configuration (mostly borrowed from sslh documentation)
set -e
# Set route_localnet = 1 on all interfaces so that ssl can use "localhost" as
# destination
sysctl -w net.ipv4.conf.default.route_localnet=1
sysctl -w net.ipv4.conf.all.route_localnet=1
# DROP martian packets as they would have been if route_localnet was zero
# Note: packets not leaving the server aren't affected by this, thus sslh/stunnel will
# still work
iptables -t raw -A PREROUTING ! -i lo -d -j DROP
iptables -t mangle -A POSTROUTING ! -o lo -s -j DROP
# Mark all connections made by ssl for special treatment (here stunnel connects to
iptables -t nat -A OUTPUT -d -p tcp --tcp-flags FIN,SYN,RST,ACK SYN -j CONNMARK --set-xmark 0x01/0x0f
# Outgoing packets that should go to sslh/stunnel instead have to be rerouted, so mark
# them accordingly (copying over the connection mark)
iptables -t mangle -A OUTPUT ! -o lo -p tcp -m connmark --mark 0x01/0x0f -j CONNMARK --restore-mark --mask 0x0f
# Configure routing for those marked packets
ip rule add fwmark 0x1 lookup 100
ip route add local dev lo table 100
Copy link

baptx commented Apr 12, 2020

Hi, any idea how to use transparent proxy with sslh / stunnel using IPv6? Your example works for IPv4 only.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment