[sslh] Better --transparent way on Linux

Michael Yelsukov michael at yelsukov.net
Wed Oct 30 16:17:10 UTC 2019 

I see two problems with the proposed solution.

1. The rule that routes _all_ packets originated at 127.0.0.1 to the
loopback device may create unpredictable side effects. That's why
iptables configuration also considers the port, so only very specific
traffic will be routed locally.
2. This solution works only when sslh and the target server (e.g. HTTP
server) are running on the same box. If you want to create a
transparent proxy to a server that runs on a different box, you would
have to use the "standard" solution.

For the most typical setups, these problems can be ignored though :)

Thanks,
Michael

On Wed, Oct 30, 2019 at 9:13 AM Michael Yelsukov <michael at yelsukov.net> wrote:
>
> I see two problems with the proposed solution.
>
> 1. The rule that routes _all_ packets originated at 127.0.0.1 to the
> loopback device may create unpredictable side effects. That's why
> iptables configuration also considers the port, so only very specific
> traffic will be routed locally.
> 2. This solution works only when sslh and the target server (e.g. HTTP
> server) are running on the same box. If you want to create a
> transparent proxy to a server that runs on a different box, you would
> have to use the "standard" solution.
>
> For the most typical setups, these problems can be ignored though :)
>
> Thanks,
> Michael
>
>
> On Wed, Oct 30, 2019 at 5:00 AM <sslh-request at rutschle.net> wrote:
> >
> > Send sslh mailing list submissions to
> >         sslh at rutschle.net
> >
> > To subscribe or unsubscribe via the World Wide Web, visit
> >         http://rutschle.net/cgi-bin/mailman/listinfo/sslh
> > or, via email, send a message with subject or body 'help' to
> >         sslh-request at rutschle.net
> >
> > You can reach the person managing the list at
> >         sslh-owner at rutschle.net
> >
> > When replying, please edit your Subject line so it is more specific
> > than "Re: Contents of sslh digest..."
> > Today's Topics:
> >
> >    1. Re: Better --transparent way on Linux (cel at celehner.com)
> >
> >
> >
> > ---------- Forwarded message ----------
> > From: cel at celehner.com
> > To: sslh at rutschle.net
> > Cc:
> > Bcc:
> > Date: Tue, 29 Oct 2019 13:32:38 -1000
> > Subject: Re: [sslh] Better --transparent way on Linux
> > Hi,
> >
> > Nice, I confirm it works. Likewise with the IPv6 version:
> >
> >     ip -6 rule add from ::1 lookup 100
> >     ip -6 route add local ::/0 dev lo table 100
> >
> > But I'm not sure what you mean about binding the real service to localhost:443. If I do that with nginx, while sslh is listening on 0.0.0.0:443, I get Address already in use. So instead I have nginx listen on 4430.
> >
> > Regards,
> > Charles
> >
> > On Mon, 14 Oct 2019 08:50:53 +0300
> > Shachar Shemesh <shachar at shemesh.biz> wrote:
> >
> > > Hi everyeone,
> > >
> > > After spending way too much time on this, I found a better way to make --transparent work on Linux. No changing kernel parameters and then trying to undo the effect through iptables. In fact, no iptables rules at all (not even mangle rules). Even better, it is possible to bind the real service to localhost:443.
> > >
> > > All you need is to add the following two lines:
> > >
> > > ip rule add from 127.0.0.1 lookup 100
> > > ip route add local 0.0.0.0/0 dev lo table 100
> > >
> > > What they do is tell the routing table that any packet coming from 127.0.0.1 should be routed to the loopback device. Presto: --transparent is working.
> > >
> > > Hope this helps.
> > >
> > > Shachar
> > _______________________________________________
> > sslh mailing list
> > sslh at rutschle.net
> > http://rutschle.net/cgi-bin/mailman/listinfo/sslh

More information about the sslh mailing list