[sslh] Better --transparent way on Linux
Michael Yelsukov
michael at yelsukov.net
Thu Oct 31 15:43:21 UTC 2019
I see two problems with the proposed solution.
1. The rule that routes _all_ packets originated at 127.0.0.1 to the
loopback device may create unpredictable side effects. That's why
iptables configuration also considers the port, so only
very specific
traffic will be routed locally.
Not really. All the traffic under that category would otherwise be
dropped by the Martian traffic
filter, so we can't possibly be dropping something the user relies on.
I am talking about intra-box network communications, not about packets
coming from/going to the public internet so mentioning Martian packets
does not make any sense in this context. My logic is very simple: By
default, there's no rule that routes all packets originated at
127.0.0.1 to the loopback device. If we add this rule then we _may_
break something that doesn't expect this rule to exist. I understand
that the chances to break something are slim, but they do exist.
2. This solution works only when sslh and the target server (e.g. HTTP
server) are running on the same box.
This solution is only needed in that case. If they are not on the
same server, regular routing, no Martian config and no iptables,
is needed.
This is not true. If you want sslh to act as a transparent proxy for a
server that runs on a different box, then you need to adjust routing
rules on that box. For example, if an HTTP server got a packet from
public address x.x.x.x which actually was sent by sslh (y.y.y.y) in
the transparent proxy mode then the HTTP server should reply to sslh
(y.y.y.y), not to that public address (x.x.x.x).
Thanks,
Michael
>
>
More information about the sslh
mailing list