[sslh] transparent proxy
António Trindade
toze at velosotrindade.com
Wed Apr 10 12:22:47 CEST 2013
Hello,
i tried you transparent proxy patch and with some adjustments on the
ip route, iptables and on the kernel net.ipv4.conf.default parameters
i got it working.
This was what i did:
1 - on /etc/sysctl.conf i set:
-------------------------------------------------------------
# Controls source route verification
net.ipv4.conf.default.rp_filter = 0
# Do not accept source routing (THIS ONE I THINK IS
NOT NEEDED but i haven't tested it yet)
net.ipv4.conf.default.accept_source_route = 0
-------------------------------------------------------------
2 - add the following rules to the iptables config file on the mangle section
-------------------------------------------------------------
*mangle
:SSLH - [0:0]
#HTTPS
-A OUTPUT --protocol tcp --out-interface eth0 --sport 4443 --jump SSLH
#SSH
-A OUTPUT --protocol tcp --out-interface eth0 --sport 2222 --jump SSLH
-A SSLH --jump MARK --set-mark 0x1
-A SSLH --jump ACCEPT
COMMIT
-------------------------------------------------------------
or in command line
-------------------------------------------------------------
# iptables -t mangle -N SSLH
# iptables -t mangle -A OUTPUT --protocol tcp --out-interface eth0
--sport 2222 --jump SSLH
# iptables -t mangle -A OUTPUT --protocol tcp --out-interface eth0
--sport 4443 --jump SSLH
# iptables -t mangle -A SSLH --jump MARK --set-mark 0x1
# iptables -t mangle -A SSLH --jump ACCEPT
-------------------------------------------------------------
3 - add the next ip route and rule
ip rule add fwmark 0x1 lookup 100
ip route add local 0.0.0.0/0 dev lo table 100
I'm not a routing expert, so comments are appreciated.
Thanks for you code.
Best regards.
António Trindade
Cumprimentos,
António Trindade
More information about the sslh
mailing list