Am Donnerstag, 6. September 2018, 21:02:05 CEST schrieb Tom Eastep:
>
> Hi Thomas,
>
> Yes, the feature is in 5.2.1 RC 1. It is described in New Features #3,
> #4 and #5 in the release notes.
>
> Assuming that you haven't changed the firewall mark geometry (*_BITS and
> *_OFFSET in shorewall.conf), changes are:
>
> shorewall.conf:
>
> TC_EXPERT=Yes
>
> providers:
>
> NAME NUMBER MARK DUPLICATE INTERFACE GATEWAY OPTIONS COPY
> proxy 1 - - lo - tproxy
>
> mangle:
>
> #ACTION SOURCE DEST
> DROP:T 127.0.0.0/8 !lo
> RESTORE(0x200):NO {USER=sslh, TEST=0x200/0x200:C} /
> ;;+ -p tcp --tcp-flags FIN,SYN,RST,ACK SYN
>
> Please let me know how it worked...
>
> -Tom
>
Hi Tom!
Finally I tried to implement transparent proxying, but the recommended
configuration does not work for me.
I tried the following changes in my shorewall configuration:
shorewall.conf
### sslh transparent proxy
TC_EXPERT=yes
conntrack - this was not recommended by you, but it creates the rule which is
recommeded in the sslh README.md. But not adding this line to my configuration
also doesn't make it work.
#ACTION SOURCE DEST
providers - I changed the name and the number to 9 as I have already 1 and 2 in
use for load balancing with 2 providers
#NAME NUMBER MARK DUPLICATE INTERFACE GATEWAY OPTIONS
### sslh transparent proxy
mangle
#ACTION SOURCE DEST PROTO
### sslh transparent proxy
These changes become to following rules:
# Generated by iptables-save v1.6.1 on Thu May 9 20:32:52 2019
*mangle
*raw
127.0.0.0/8 ! -i lo -j DROP
Routing Rule:
0: from all lookup local
Route:
Table SSLH:
However, when I leave my shorewall configuration as it was before and apply the
iptables rules and routing changes as suggested in
https://github.com/yrutschle/sslh#transparent-proxy-support after shorewall is
up and running, everything works as expected.
I asume that this
mangle
RESTORE(0x200):NO {USER=sslh, TEST=0x200/0x200:C} ;;+ -p tcp --tcp-flags
FIN,SYN,RST,ACK SYN
does not make up for these two rules
# Mark all connections made by ssl for special treatment (here sslh is run as
user "sslh")
iptables -t nat -A OUTPUT -m owner --uid-owner sslh -p tcp --tcp-flags
FIN,SYN,RST,ACK SYN -j CONNMARK --set-xmark 0x01/0x0f
# Outgoing packets that should go to sslh instead have to be rerouted, so mark
them accordingly (copying over the connection mark)
iptables -t mangle -A OUTPUT ! -o lo -p tcp -m connmark --mark 0x01/0x0f -j
CONNMARK --restore-mark --mask 0x0f
*#* shorewall version
If there is more information about my configuration needed, please let me know.
Cheers
Norbert
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users
