[sslh] transparent option dosen't function

Yves Rutschle yves at rutschle.net
Fri Apr 25 10:58:28 CEST 2014 

On Thu, Apr 24, 2014 at 08:55:15AM +0200, Thorsten Regner wrote:
> i have a problem with the Transparent option.

Do you manage to have a non-transparent working
configuration? (one problem at a time :-) ).

> ssh (config standard) -> all right the transparent option function
> https (lighttpd 1.4.35) -> hear at 192.168.0.11:11443 and
> 192.168.0.11:443 -> doesn't function
> openvpn -> hear at 172.16.0.11:1194 -> doesn't function

What do you mean by "doesn't function"? You can't connect to
it at all, or you can't connect to it through sslh?

I assume that the servers actually work and if you telnet to
e.g. 172.16.0.11 1194 you talk to openvpn.

> So in my case, i can connect to ssh through port 445 but i can't
> connect through 22 ??

Port 445?

> /usr/local/sbin/sslh -F /etc/sslh/sslh.conf
> ssh addr: 172.16.0.11:ssh. libwrap service: ssh family 2 2
> openvpn addr: 172.16.0.11:openvpn. libwrap service: (null) family 2 2
> xmpp addr: localhost:xmpp-client. libwrap service: (null) family 10 10
> http addr: localhost:http. libwrap service: (null) family 10 10
> ssl addr: 192.168.0.11:https. libwrap service: (null) family 2 2
> anyprot addr: localhost:https. libwrap service: (null) family 10 10

All the 'localhost' specifications won't work for
transparent networking. 

> listening on:
>     172.16.0.11:https
> timeout: 2
> on-timeout: ssh
> listening to 1 addresses
> turning into root
> sslh-fork v1.16-13-gd10b539 started
> accepted fd 4
> **** writing deferred on fd -1
> probing for ssh
> probing for openvpn
> probing for xmpp
> probing for http
> probing for ssl
> connecting to 192.168.0.11:https family 2 len 16
> forward to ssl failed:connect: Connection timed out
> connect: Connection timed out
> accepted fd 4
> connecting to 172.16.0.11:ssh family 2 len 16
> connection from 172.16.0.1:55246 to 172.16.0.11:https forwarded from
> 172.16.0.1:55246 to 172.16.0.11:ssh
> flushing deferred data to fd 3
> 
> 
> my iptables .........
> 
> ## clean
> iptables -t mangle -F
> iptables -t mangle -X
> ip route del local 0.0.0.0/0 dev lo table 100
> ip rule del fwmark 0x1 lookup 100
> 
> ## mknew
> iptables -t mangle -N SSLH
> iptables -t mangle -A OUTPUT --protocol tcp --out-interface eth0
> --sport 22 --jump SSLH
> iptables -t mangle -A OUTPUT --protocol tcp --out-interface eth0
> --sport 1194 --jump SSLH
> iptables -t mangle -A OUTPUT --protocol tcp --out-interface eth1
> --sport 443 --jump SSLH

Shouldn't this be --sport 11443?

That's the only thing that may be wrong I can see, but then
I'm not so good with iptables and I've never tried
transparent proxying with two interfaces...

HTH,
Y.

More information about the sslh mailing list