From 08a64e99b487c9f39548cf3f94f57c8d22d740dd Mon Sep 17 00:00:00 2001 From: FlexMcMurphy <32464325+FlexMcMurphy@users.noreply.github.com> Date: Sun, 30 Jun 2019 12:28:53 +0100 Subject: [PATCH] Update tproxy.md Minor formatting changes. Could also update tproxy.jpg to the svg version. --- doc/tproxy.md | 75 +++++++++++++++++++++++++-------------------------- 1 file changed, 36 insertions(+), 39 deletions(-) diff --git a/doc/tproxy.md b/doc/tproxy.md index 4342e00..f11192c 100644 --- a/doc/tproxy.md +++ b/doc/tproxy.md @@ -2,22 +2,21 @@ ============================== Tutorial by Sean Warner. 19 June 2019 20:35 -  + Aim --- -* Here is my guide… the solution here only works for my very specific use-case but hopefully others can adapt it to suits their needs. -* Show that SSLH can transparently proxy requests from the internet to services on two separate hosts that are both on the same LAN. +* Show that `sslh` can transparently proxy requests from the internet to services on two separate hosts that are both on the same LAN. * The IP address of the client initiating the request is what the destination should see… and not the IP address of the host that `sslh` is running on, which is what happens when `sslh` is not running in transparent mode. -  +* The solution here only works for my very specific use-case but hopefully others can adapt it to suits their needs. + Overview of my Network ---------------------- Two Raspberry Pis on my home LAN: * Pi A: 192.168.1.124 – `sslh` (Port 4433), Apache2 web server for https (port 443), `stunnel` (port 4480) to decrypt ssh traffic and forward to SSH server (also on Pi A at Port 1022) * Pi B: 192.168.1.123 - HTTP server (port 8000), SSH server (port 1022 on PiB). -  -I send traffic from the internet to my router's external port 443 then use a port forward rule in my router to map that to internal port 4433 where sslh is listening. +* I send traffic from the internet to my router's external port 443 then use a port forward rule in my router to map that to internal port 4433 where sslh is listening. ![Architecture](tproxy.jpg) @@ -34,15 +33,15 @@ I compiled sslh from sources giving the binary pretty much all possible options VERSION=$(shell ./genver.sh -r) ENABLE_REGEX=1         # Enable regex probes USELIBCONFIG=1         # Use libconfig? (necessary to use configuration files) -USELIBPCRE=1         # Use libpcre? (needed for regex on musl) -USELIBWRAP=1         # Use libwrap? -USELIBCAP=1         # Use libcap? -USESYSTEMD=1         # Make use of systemd socket activation -COV_TEST=         # Perform test coverage? +USELIBPCRE=1 # Use libpcre? (needed for regex on musl) +USELIBWRAP=1         # Use libwrap? +USELIBCAP=1         # Use libcap? +USESYSTEMD=1         # Make use of systemd socket activation +COV_TEST=         # Perform test coverage? PREFIX=/usr/local BINDIR=$(PREFIX)/sbin MANDIR=$(PREFIX)/share/man/man8 -MAN=sslh.8.gz         # man page name +MAN=sslh.8.gz         # man page name # End of configuration -- the rest should take care of # itself @@ -152,33 +151,33 @@ connect = 192.168.1.124:1022 TIMEOUTclose = 0 ```   -Configure iptables for piA +Configure iptables for Pi A -------------------------- The `_add.sh` script creates the rules, the `_rm.sh` script removes the rules. They will be lost if you reboot but there are ways to make them load again on start-up.. ``` -# nano /usr/local/sbin/[filename.sh] +# nano /usr/local/sbin/piA_tproxy_add.sh ``` - -`piA_tproxy_add.sh`: ``` piA_tproxy_add.sh -iptables -w -t mangle -N SSLH -iptables -w -t mangle -A PREROUTING -p tcp -m socket --transparent -j SSLH -iptables -w -t mangle -A OUTPUT --protocol tcp --out-interface eth0 -m multiport --sport 443,4480 --jump SSLH -iptables -w -t mangle -A SSLH --jump MARK --set-mark 0x1 -iptables -w -t mangle -A SSLH --jump ACCEPT +iptables -t mangle -N SSLH +iptables -t mangle -A PREROUTING -p tcp -m socket --transparent -j SSLH +iptables -t mangle -A OUTPUT --protocol tcp --out-interface eth0 -m multiport --sport 443,4480 --jump SSLH +iptables -t mangle -A SSLH --jump MARK --set-mark 0x1 +iptables -t mangle -A SSLH --jump ACCEPT ip rule add fwmark 0x1 lookup 100 ip route add local 0.0.0.0/0 dev lo table 100 ``` -`piA_tproxy_rm.sh`: +``` +# nano /usr/local/sbin/piA_tproxy_rm.sh +``` ``` piA_tproxy_rm.sh -iptables -w -t mangle -D PREROUTING -p tcp -m socket --transparent -j SSLH -iptables -w -t mangle -D OUTPUT --protocol tcp --out-interface eth0 -m multiport --sport 443,4480 --jump SSLH -iptables -w -t mangle -D SSLH --jump MARK --set-mark 0x1 -iptables -w -t mangle -D SSLH --jump ACCEPT -iptables -w -t mangle -X SSLH +iptables -t mangle -D PREROUTING -p tcp -m socket --transparent -j SSLH +iptables -t mangle -D OUTPUT --protocol tcp --out-interface eth0 -m multiport --sport 443,4480 --jump SSLH +iptables -t mangle -D SSLH --jump MARK --set-mark 0x1 +iptables -t mangle -D SSLH --jump ACCEPT +iptables -t mangle -X SSLH ip rule del fwmark 0x1 lookup 100 ip route del local 0.0.0.0/0 dev lo table 100 ``` @@ -195,15 +194,13 @@ Now run the "add" script on Pi A! # piA_tproxy_rm.sh ``` -Configure iptables for piB +Configure iptables for Pi B -------------------------- ``` -# nano /usr/local/sbin/[filename.sh] -``` - -piB_tproxy_add.sh +# nano /usr/local/sbin/piB_tproxy_add.sh ``` +``` piB_tproxy_add.sh iptables -t mangle -N SSLHSSL iptables -t mangle -A OUTPUT -o eth0 -p tcp -m multiport --sport 1022,8000 -j SSLHSSL iptables -t mangle -A SSLHSSL --jump MARK --set-mark 0x1 @@ -213,7 +210,9 @@ ip route add default via 192.168.1.124 table 100 ip route flush cache ``` -piB_tproxy_add.sh +``` +# nano /usr/local/sbin/piB_tproxy_rm.sh +``` ``` iptables -t mangle -D OUTPUT -o eth0 -p tcp -m multiport --sport 1022,8000 -j SSLHSSL iptables -t mangle -D SSLHSSL --jump MARK --set-mark 0x1 @@ -238,7 +237,6 @@ Now run the "add" script on Pi B!   Testing ------- -  * Getting to sshd on PiA I did this test using 4G from my phone (outside the LAN) @@ -251,25 +249,24 @@ I execute this command from a terminal window.. ``` # proxytunnel -v -e -C root.pem -p 78.141.192.198:8080 -d ssh.example.com:443 ``` -  * Getting to sshd on PiB I did this test using 4G from my phone (outside the LAN) My smartphone telecom provider blocks ssh over port 443 so I need to use `proxytunnel` to encrypt. + Use the Proxytunnel `-X` switch to encrypt from local proxy to destination only so by the time we get to the destination it is unencrypted and `sslh` will see the ssh protocol and demultiplex to PiB as per `sslh.cfg`. ``` # proxytunnel -v -X -C root.pem -p 78.141.192.198:8080 -d ssh.example.com:443 ``` -  + Now when you test it all look at the output in daemon.log like this: ``` # grep -i 'ssl' /var/log/daemon.log ``` -  You should see that the IP address and port from the “connection from” and “forwarded from” fields are the same. -  + Special thanks and appreciation to Michael Yelsukov without whom I would never have got this working. -  + Any feedback or corrections very welcome!