[sslh] Making Transparent Proxy work without iptables

Sean Warner plica2006 at gmail.com
Mon Apr 23 00:49:29 UTC 2018 

Hello Yves,

 

I am new to the sslh program which is really great, thank you for making it
and continuing to improve and support it.

 

I spent quite a while trying to get Transparent Proxy working and found the
iptables stuff very hard to follow and from googling around everyone seems
to have a slightly different set up.

 

I stumbled upon this Wiki page that achieves Transparent Proxy with sslh
without using iptables at all. just uses 127.0.0.2 instead of localhost then
sets the ip rules and route.

 

https://wiki.techunit.org/SSLH

 

In /etc/default/sslh:

 

DAEMON_OPTS="--user root -n --transparent --listen <server public IP>:443
--ssh 127.0.0.2:22 --ssl 127.0.0.2:8443 --pidfile /var/run/sslh/sslh.pid"

 

Run theses commands: (they will disappear if you reboot so add to
/etc/rc.local)

ip rule add fwmark 0x1 lookup 100

ip route add local 0.0.0.0/0 dev lo table 100

ip rule add from 127.0.0.2/32 table 100

ip route flush cache

 

Restart sslh

 

Does this seem like a good way to do it? Would there be any problem with
using a loopback (127.0.0.2) address? I think only 127.0.0.1 (localhost) is
important not to use?

 

Flex

 

Note:

This technique was also mentioned in a comment at the end of this article:

https://blog.cpy.re/faire-cohabiter-openvpn-et-https-sur-le-port-443-en-ipv4
-et-ipv6/

 

If there were concerns about using a loopback address (127.0.0.2) in this
way then perhaps it would be possible to add an ip address of your choosing
to the eth0 interface as was suggested in this post:
http://rutschle.net/pipermail/sslh/2014-September/000547.html and in another
comment in the article at the same above url. You could be sure this ip
address will never be used by anything else.

 

By the way, with this method, since sslh is on a different ip address that
it uses to communicate with the web server I can make sslh listen on e.g:
port 4433 and my web server on port 444 and 443. Then I can turn on or off
sslh in my network by shutting it down and switching the port forwarding in
my router (443 <--> 4433 or 443 <--> 443). Lastly with this set up any
traffic on my LAN to my web server does not have to go through sslh.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://rutschle.net/pipermail/sslh/attachments/20180423/2570ec5a/attachment.html>

More information about the sslh mailing list