Created
July 22, 2018 10:20
-
-
Save Informatic/2034898bc404ea99f322dd0fdfe43878 to your computer and use it in GitHub Desktop.
stunnel transparent proxy (server) on localhost. use transparent=source; connect=127.1.1.1:... in stunnel configuration (mostly borrowed from sslh documentation)
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/bash | |
set -e | |
# Set route_localnet = 1 on all interfaces so that ssl can use "localhost" as | |
# destination | |
sysctl -w net.ipv4.conf.default.route_localnet=1 | |
sysctl -w net.ipv4.conf.all.route_localnet=1 | |
# DROP martian packets as they would have been if route_localnet was zero | |
# Note: packets not leaving the server aren't affected by this, thus sslh/stunnel will | |
# still work | |
iptables -t raw -A PREROUTING ! -i lo -d 127.0.0.0/8 -j DROP | |
iptables -t mangle -A POSTROUTING ! -o lo -s 127.0.0.0/8 -j DROP | |
# Mark all connections made by ssl for special treatment (here stunnel connects to 127.1.1.1) | |
iptables -t nat -A OUTPUT -d 127.1.1.1 -p tcp --tcp-flags FIN,SYN,RST,ACK SYN -j CONNMARK --set-xmark 0x01/0x0f | |
# Outgoing packets that should go to sslh/stunnel instead have to be rerouted, so mark | |
# them accordingly (copying over the connection mark) | |
iptables -t mangle -A OUTPUT ! -o lo -p tcp -m connmark --mark 0x01/0x0f -j CONNMARK --restore-mark --mask 0x0f | |
# Configure routing for those marked packets | |
ip rule add fwmark 0x1 lookup 100 | |
ip route add local 0.0.0.0/0 dev lo table 100 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Hi, any idea how to use transparent proxy with sslh / stunnel using IPv6? Your example works for IPv4 only.