Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Transparent proxying - how to pass socket to local server without modification?

Tags:

c

linux

proxy

sockets

I have a program that listens on port 443 and then redirects to either an SSH or HTTPS local server depending on the detected protocol.

The program does this by connecting to the local server and proxying all data back and forth through its own process.

However, this causes the originating host on the local servers to be logged as localhost.

Is there any way to pass the socket directly to the local server process (rather than just making a new TCP connection) so that the parameters of sockaddr_in (or sockaddr_in6) will be retained?

Platform for this is Linux.

like image 949
Luca Farber Avatar asked Apr 29 '10 23:04

Luca Farber

1 Answers

Here is a code snippet taken from stunnel (from client.c in the local_bind function if you want to look at all the code).

#ifdef IP_TRANSPARENT
int on=1;
if(c->opt->option.transparent) {
    if(setsockopt(c->fd, SOL_IP, IP_TRANSPARENT, &on, sizeof on))
        sockerror("setsockopt IP_TRANSPARENT");
    /* ignore the error to retain Linux 2.2 compatibility */
    /* the error will be handled by bind(), anyway */
}
#endif /* IP_TRANSPARENT */

memcpy(&addr, &c->bind_addr.addr[0], sizeof addr);
if(ntohs(addr.in.sin_port)>=1024) { /* security check */
    if(!bind(c->fd, &addr.sa, addr_len(addr))) {
        s_log(LOG_INFO, "local_bind succeeded on the original port");
        return; /* success */
    }
    if(get_last_socket_error()!=EADDRINUSE
#ifndef USE_WIN32
            || !c->opt->option.transparent
#endif /* USE_WIN32 */
            ) {
        sockerror("local_bind (original port)");
        longjmp(c->err, 1);
    }
}

Earlier, c->bind_addr was set to the address of the connecting peer with this code:

    else if(c->opt->option.transparent)
    memcpy(&c->bind_addr, &c->peer_addr, sizeof(SOCKADDR_LIST));

The stunnel documentation contains this advice for recent Linux kernels:

Remote mode (either 2.2.x and >=2.6.28) requires stunnel to be executed as root. setuid option will also break this functionality.

Linux >=2.6.28 requires the following setup for iptables and routing (possibly in /etc/rc.local or equivalent file):

iptables -t mangle -N DIVERT
iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT
iptables -t mangle -A DIVERT -j MARK --set-mark 1
iptables -t mangle -A DIVERT -j ACCEPT
ip rule add fwmark 1 lookup 100
ip route add local 0.0.0.0/0 dev lo table 100
like image 115
Zan Lynx Avatar answered Sep 30 '22 06:09

Zan Lynx
Sign in to Comment

Related questions

Weird compile error dealing with Winnt.h
How to disable interface keyword on visual C++ Express 2008?
Static vs global in terms of speed and space consumption in C
C Symmetric Stream Cipher
Is there an open source C visual debugger for windows? [closed]
snprintf Format String security vulnerability issue
How to show function prototype in Emacs?
Spell checker for comments, strings, maybe more
Why does Linux program that derefrences (char*)0 not always segfault?
Explaining the declaration/definition of HRESULT
Matrix multiplication in GSL-GNU
Understanding the C function call prolog with __cdecl on windows
write a C or C++ library with "template"
How is the lagged fibonacci generator random?
What does it mean when numbers end with U
Java dropping half of UDP packets
What are the reasons for casting a void pointer?
Priority queue implementation in C
C - is it possible to decrement the max value of a for loop from within the for loop?
Parsing a string

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!