From 09aaf39e25b1a232cd4efba987b17c64f2a5fcf5 Mon Sep 17 00:00:00 2001 From: Alexey Kopytko Date: Fri, 1 Jun 2018 15:13:50 +0900 Subject: [PATCH] Update README.md Removed redundant dollar signs since they're not used anywhere else in the README. --- README.md | 62 +++++++++++++++++++++++++++---------------------------- 1 file changed, 31 insertions(+), 31 deletions(-) diff --git a/README.md b/README.md index 517d615..8b6ee4e 100644 --- a/README.md +++ b/README.md @@ -205,11 +205,11 @@ and `CAP_NET_ADMIN` for transparent proxying (see You can use the `setcap(8)` utility to give these capabilities to the executable: - # setcap cap_net_bind_service,cap_net_admin+pe sslh-select + sudo setcap cap_net_bind_service,cap_net_admin+pe sslh-select Then you can run sslh-select as an unpriviledged user, e.g.: - $ sslh-select -p myname:443 --ssh localhost:22 --ssl localhost:443 + sslh-select -p myname:443 --ssh localhost:22 --ssl localhost:443 Caveat: `CAP_NET_ADMIN` does give sslh too many rights, e.g. configuring the interface. If you're not going to use @@ -235,46 +235,46 @@ The firewalling tables also need to be adjusted as follows. I don't think it is possible to have `httpd` and `sslh` both listen to 443 in this scheme -- let me know if you manage that: - $ # Set route_localnet = 1 on all interfaces so that ssl can use "localhost" as destination - $ sysctl -w net.ipv4.conf.default.route_localnet=1 - $ sysctl -w net.ipv4.conf.all.route_localnet=1 + # Set route_localnet = 1 on all interfaces so that ssl can use "localhost" as destination + sysctl -w net.ipv4.conf.default.route_localnet=1 + sysctl -w net.ipv4.conf.all.route_localnet=1 - $ # DROP martian packets as they would have been if route_localnet was zero - $ # Note: packets not leaving the server aren't affected by this, thus sslh will still work - $ iptables -t raw -A PREROUTING ! -i lo -d 127.0.0.0/8 -j DROP - $ iptables -t mangle -A POSTROUTING ! -o lo -s 127.0.0.0/8 -j DROP + # DROP martian packets as they would have been if route_localnet was zero + # Note: packets not leaving the server aren't affected by this, thus sslh will still work + iptables -t raw -A PREROUTING ! -i lo -d 127.0.0.0/8 -j DROP + iptables -t mangle -A POSTROUTING ! -o lo -s 127.0.0.0/8 -j DROP - $ # Mark all connections made by ssl for special treatment (here sslh is run as user "sslh") - $ iptables -t nat -A OUTPUT -m owner --uid-owner sslh -p tcp --tcp-flags FIN,SYN,RST,ACK SYN -j CONNMARK --set-xmark 0x01/0x0f + # Mark all connections made by ssl for special treatment (here sslh is run as user "sslh") + iptables -t nat -A OUTPUT -m owner --uid-owner sslh -p tcp --tcp-flags FIN,SYN,RST,ACK SYN -j CONNMARK --set-xmark 0x01/0x0f - $ # Outgoing packets that should go to sslh instead have to be rerouted, so mark them accordingly (copying over the connection mark) - $ iptables -t mangle -A OUTPUT ! -o lo -p tcp -m connmark --mark 0x01/0x0f -j CONNMARK --restore-mark --mask 0x0f + # Outgoing packets that should go to sslh instead have to be rerouted, so mark them accordingly (copying over the connection mark) + iptables -t mangle -A OUTPUT ! -o lo -p tcp -m connmark --mark 0x01/0x0f -j CONNMARK --restore-mark --mask 0x0f - $ # Configure routing for those marked packets - $ ip rule add fwmark 0x1 lookup 100 - $ ip route add local 0.0.0.0/0 dev lo table 100 + # Configure routing for those marked packets + ip rule add fwmark 0x1 lookup 100 + ip route add local 0.0.0.0/0 dev lo table 100 Tranparent proxying with IPv6 is similarly set up as follows: - $ # Set route_localnet = 1 on all interfaces so that ssl can use "localhost" as destination - $ # Not sure if this is needed for ipv6 though - $ sysctl -w net.ipv4.conf.default.route_localnet=1 - $ sysctl -w net.ipv4.conf.all.route_localnet=1 + # Set route_localnet = 1 on all interfaces so that ssl can use "localhost" as destination + # Not sure if this is needed for ipv6 though + sysctl -w net.ipv4.conf.default.route_localnet=1 + sysctl -w net.ipv4.conf.all.route_localnet=1 - $ # DROP martian packets as they would have been if route_localnet was zero - $ # Note: packets not leaving the server aren't affected by this, thus sslh will still work - $ ip6tables -t raw -A PREROUTING ! -i lo -d ::1/128 -j DROP - $ ip6tables -t mangle -A POSTROUTING ! -o lo -s ::1/128 -j DROP + # DROP martian packets as they would have been if route_localnet was zero + # Note: packets not leaving the server aren't affected by this, thus sslh will still work + ip6tables -t raw -A PREROUTING ! -i lo -d ::1/128 -j DROP + ip6tables -t mangle -A POSTROUTING ! -o lo -s ::1/128 -j DROP - $ # Mark all connections made by ssl for special treatment (here sslh is run as user "sslh") - $ ip6tables -t nat -A OUTPUT -m owner --uid-owner sslh -p tcp --tcp-flags FIN,SYN,RST,ACK SYN -j CONNMARK --set-xmark 0x01/0x0f + # Mark all connections made by ssl for special treatment (here sslh is run as user "sslh") + ip6tables -t nat -A OUTPUT -m owner --uid-owner sslh -p tcp --tcp-flags FIN,SYN,RST,ACK SYN -j CONNMARK --set-xmark 0x01/0x0f - $ # Outgoing packets that should go to sslh instead have to be rerouted, so mark them accordingly (copying over the connection mark) - $ ip6tables -t mangle -A OUTPUT ! -o lo -p tcp -m connmark --mark 0x01/0x0f -j CONNMARK --restore-mark --mask 0x0f + # Outgoing packets that should go to sslh instead have to be rerouted, so mark them accordingly (copying over the connection mark) + ip6tables -t mangle -A OUTPUT ! -o lo -p tcp -m connmark --mark 0x01/0x0f -j CONNMARK --restore-mark --mask 0x0f - $ # Configure routing for those marked packets - $ ip -6 rule add fwmark 0x1 lookup 100 - $ ip -6 route add local ::/0 dev lo table 100 + # Configure routing for those marked packets + ip -6 rule add fwmark 0x1 lookup 100 + ip -6 route add local ::/0 dev lo table 100 Explanation: To be able to use `localhost` as destination in your sslh config along with transparent proxying