[sslh] transparent option dosen't function [Scanned by Avira Exchange Security]

Fri Apr 25 11:53:09 CEST 2014

Yes, i get the non-transparent proxy working

i mean, the only thing which working is the ssh service
and only through the sslh the standard port doesn't work (22) only (443)
if i make a telnet connection to 22 or 1194 it doesn't work
The settings with the localhost i don't need ....
To the sport --443 i tried 443 and 11443 ... but nothing works
I tried the transparent proxy with only one interface too - but it 
doesn't function :(
If the transparent proxy function - it will be the greatest thing ^^

i tried a blank Debian 7 only your packet and the iptables examples ....
but the trasparent proxy won't work for ssl and openvpn :(

Am 25.04.2014 10:58, schrieb Yves Rutschle:
> On Thu, Apr 24, 2014 at 08:55:15AM +0200, Thorsten Regner wrote:
>> i have a problem with the Transparent option.
> Do you manage to have a non-transparent working
> configuration? (one problem at a time :-) ).
>
>> ssh (config standard) -> all right the transparent option function
>> https (lighttpd 1.4.35) -> hear at 192.168.0.11:11443 and
>> 192.168.0.11:443 -> doesn't function
>> openvpn -> hear at 172.16.0.11:1194 -> doesn't function
> What do you mean by "doesn't function"? You can't connect to
> it at all, or you can't connect to it through sslh?
>
> I assume that the servers actually work and if you telnet to
> e.g. 172.16.0.11 1194 you talk to openvpn.
>
>> So in my case, i can connect to ssh through port 445 but i can't
>> connect through 22 ??
> Port 445?
>
>> /usr/local/sbin/sslh -F /etc/sslh/sslh.conf
>> ssh addr: 172.16.0.11:ssh. libwrap service: ssh family 2 2
>> openvpn addr: 172.16.0.11:openvpn. libwrap service: (null) family 2 2
>> xmpp addr: localhost:xmpp-client. libwrap service: (null) family 10 10
>> http addr: localhost:http. libwrap service: (null) family 10 10
>> ssl addr: 192.168.0.11:https. libwrap service: (null) family 2 2
>> anyprot addr: localhost:https. libwrap service: (null) family 10 10
> All the 'localhost' specifications won't work for
> transparent networking.
>
>> listening on:
>>      172.16.0.11:https
>> timeout: 2
>> on-timeout: ssh
>> listening to 1 addresses
>> turning into root
>> sslh-fork v1.16-13-gd10b539 started
>> accepted fd 4
>> **** writing deferred on fd -1
>> probing for ssh
>> probing for openvpn
>> probing for xmpp
>> probing for http
>> probing for ssl
>> connecting to 192.168.0.11:https family 2 len 16
>> forward to ssl failed:connect: Connection timed out
>> connect: Connection timed out
>> accepted fd 4
>> connecting to 172.16.0.11:ssh family 2 len 16
>> connection from 172.16.0.1:55246 to 172.16.0.11:https forwarded from
>> 172.16.0.1:55246 to 172.16.0.11:ssh
>> flushing deferred data to fd 3
>>
>>
>> my iptables .........
>>
>> ## clean
>> iptables -t mangle -F
>> iptables -t mangle -X
>> ip route del local 0.0.0.0/0 dev lo table 100
>> ip rule del fwmark 0x1 lookup 100
>>
>> ## mknew
>> iptables -t mangle -N SSLH
>> iptables -t mangle -A OUTPUT --protocol tcp --out-interface eth0
>> --sport 22 --jump SSLH
>> iptables -t mangle -A OUTPUT --protocol tcp --out-interface eth0
>> --sport 1194 --jump SSLH
>> iptables -t mangle -A OUTPUT --protocol tcp --out-interface eth1
>> --sport 443 --jump SSLH
> Shouldn't this be --sport 11443?
>
> That's the only thing that may be wrong I can see, but then
> I'm not so good with iptables and I've never tried
> transparent proxying with two interfaces...
>
> HTH,
> Y.
>
> _______________________________________________
> sslh mailing list
> sslh at rutschle.net
> http://rutschle.net/cgi-bin/mailman/listinfo/sslh
>
> [Scanned by Avira Exchange Security]