[sslh] Making Transparent Proxy work without iptables

Mon Apr 23 14:50:37 UTC 2018

Hello,

Just in case anyone is interested.. especially those, like me, not very
experienced with linux. Here is my set up that got transparent proxy support
working without using the iptables firewall. Instead it just uses the linux
kernel IP routing table.

Commands to set up (and remove) the route and rules are added to the sslh
systemd service so they are created when sslh starts and removed when sslh
stops. Any feedback about whether it is safe or wise to do it this way much
appreciated! I use a raspberry pi running Raspbian which is like Debian
Stretch. sslh, apache2 and sshd are all running on the same Pi which is
connected by ethernet cable to my router.

Update the systemd sslh.service file:

# systemctl stop sslh

# nano /lib/systemd/system/sslh.service

[Unit]

Description=SSL/SSH multiplexer

After=network.target

Documentation=man:sslh(8)

[Service]

ExecStart=/usr/local/sbin/sslh -F /etc/sslh/sslh.cfg

KillMode=process

# Set routing rules/route automatically on sslh service start

PermissionsStartOnly=true

# Add the ip rules and route to enable Transparent Proxy

ExecStartPre=/sbin/ip rule add fwmark 0x1 lookup 100

ExecStartPre=/sbin/ip route add local 0.0.0.0/0 dev lo table 100

ExecStartPre=/sbin/ip rule add from 127.0.0.2/32 table 100

ExecStartPre=/sbin/ip route flush cache

# Remove the ip rules and route to enable Transparent Proxy

ExecStopPost=/sbin/ip rule del fwmark 0x1 lookup 100

ExecStopPost=/sbin/ip route del local 0.0.0.0/0 dev lo table 100

ExecStopPost=/sbin/ip rule del from 127.0.0.2/32 table 100

ExecStopPost=/sbin/ip route flush cache

[Install]

WantedBy=multi-user.target

Update the sslh configuration file:

# nano /etc/sslh/sslh.cfg

verbose: false;

foreground: true;

inetd: false;

numeric: true;

transparent: true;

timeout: 2;

user: "sslh";

pidfile: "/var/run/sslh.pid";

chroot: "/var/empty";

# Change hostname with your external address name.

listen:

(

{ host: "192.168.1.124"; port: "4433"; }

);

# this solution was recommended from: wiki.techunit.org/SSLH

protocols:

(

        { name: "ssh"; service: "ssh"; host: "127.0.0.2"; port: "1022";
log_level: 1; },

        { name: "ssl"; host: "127.0.0.2"; port: "444"; log_level: 1; }

);

In my setup sslh is installed on machine with ip: 192.168.1.124 and listens
on port 4433. I set up port forwarding on my router from external port 443
to internal port 4433. sslh sends de-multiplexed traffic to the web server
on port 444 and ssh server on port 1021 addressing them as though they are
on ip address: 127.0.0.2. I don't know if this is a good strategy or if
something might break this solution.

I added port 1022 to sshd config: /etc/ssh/sshd_config and in apache2 I
updated ports.conf like this:

/etc/apache2/ports.conf

Replace:

Listen 80

<IfModule ssl_module>

Listen 443

</IfModule>

<IfModule mod_gnutls.c>

Listen 443

</IfModule>

With:

Listen 80

<IfModule ssl_module>

Listen 443

Listen 127.0.0.2:444

</IfModule>

<IfModule mod_gnutls.c>

Listen 443

Listen 127.0.0.2:444

</IfModule>

I also duplicated the Virtualhost definitions for my website. one starts
with <VirtualHost 127.0.0.2:444> and the other with <VirtualHost
_default_:443> This makes apache2 listen on ports 444 and 443. With sslh
running web traffic goes to apache on port 444 but if I want to turn off
sslh for some reason then I only have to switch the port forwarding in my
router.

I am using a binary that I compiled from sources and enabled USELIBCAP so
sslh runs as the unpriviledged user: sslh but magically gives itself the
cap_net_admin capability for transparent proxy support. That's another thing
I don't really understand but at least it works!

Flex

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://rutschle.net/pipermail/sslh/attachments/20180423/836bfbfd/attachment.html>