[sslh] Transparent proxying with two IP
Michael Yelsukov
michael at yelsukov.net
Mon Mar 14 02:23:52 UTC 2016
Hi,
Your nginx works with sshl in the transparent mode because they live the
same box.
Strictly saying, the iptable/routing rules should be like this:
1. For the host that is running sshl:
iptables -t mangle -F
iptables -t mangle -N SSLHiptables -t mangle -A PREROUTING -p tcp -m
socket --transparent -j SSLH # *You need this to properly route
packets sent by SSHD from the other host * iptables -t mangle -A
OUTPUT --protocol tcp --out-interface eth0 --sport 443 --jump SSLH *#
**You need this to properly route packets sent by NGINX from the local
host*
iptables -t mangle -A SSLH --jump MARK --set-mark 0x1iptables -t
mangle -A SSLH --jump ACCEPTip rule add fwmark 0x1 lookup 100ip route
add local 0.0.0.0/0 dev lo table 100
2. For the external host that is running sshd:
iptables -t mangle -N SSLH
iptables -t mangle -A OUTPUT -o eth0 -p tcp -m tcp --sport 22 -j SSLH
iptables -t mangle -A SSLH --jump MARK --set-mark 0x1
iptables -t mangle -A SSLH --jump ACCEPT
ip rule add fwmark 0x1 lookup 100
ip route add default via <*put your sshl host here*> table 100
I also think that you might want to change the HTTPS port of your NGINX.
Please read https://github.com/yrutschle/sslh#transparent-proxy-support.
Very big thanks to Yves Rutschle for the wonderful piece of software!
Thanks,
Michael
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://rutschle.net/pipermail/sslh/attachments/20160313/ddc275ee/attachment.html>
More information about the sslh
mailing list