source: trunk/debian/packages/debwrt-net/trunk/etc/firewall/sslh.inc.sh @ 885

Last change on this file since 885 was 885, checked in by amain, 2 years ago

debwrt-net: update debwrt-dnsmask.conf and add sshl

  • Property svn:executable set to *
File size: 2.4 KB
Line 
1#!/bin/sh
2
3# sslh in transparent mode
4#
5# sslh listens to connection on the configured listen port and tunnels them,
6# based on protocol analisys of the initial request to the configured ip:port
7# (can be localhost) for that service. sslh remains the proxy in between.
8#
9# When using transparent mode, the Source IP of the outgoing packet is changed
10# to the Source IP of the original inbound connection. Allowing the process/
11# machine that runs the actual service to see the original inbound client IP.
12#
13# Effectively causing the handling service to send packets back to that inbound
14# client IP and *not* to the sslh deamon which handles the actual inbound
15# request. Hence some trickery is involved to get the returned packets, when in
16# transparent mode, routed though the sslh deamon.
17#
18# Any returning packets are marked 0x1 using the mangle table of netfilter. And
19# then are routed to localhost.
20#
21# Note: listen address for sslh should be set to non-localhost address according
22#       to the original readme. What works is:
23#
24#       listen:
25#       (
26#           { host: "0.0.0.0"; port: "443"; }
27#       );
28#
29# This assumes: connection comming in from wan to SSLH daemon. Which then connects
30#               to hosts on br-lan
31
32sslh_start()
33{
34    ${IPT} -t mangle -N SSLH
35
36    # a line for each host/port managed in /etc/sslh/sslh.conf
37    tmpl="${IPT} -t mangle -A FORWARD --protocol tcp --in-interface br-lan -s _IP_ -m multiport --sport _PORT_ --jump SSLH"
38    cat /etc/sslh/sslh.cfg \
39     | grep "name: \"[a-zA-Z0-9_=+--]\+"\
40     | sed 's/[{ },]//g' \
41     | tr : = \
42     | while read line
43       do
44           eval "${line}"
45           cmd=$(echo ${tmpl} \
46                   | sed -e "s/_IP_/${host}/" \
47                         -e "s/_PORT_/${port}/")
48           ${cmd}
49       done
50
51    ${IPT} -t mangle -A SSLH --jump MARK --set-mark 0x1
52    ${IPT} -t mangle -A SSLH --jump ACCEPT
53
54    # lookup routing table 100 for packets with mark 0x1
55    ip rule add fwmark 0x1 lookup 100
56
57    # routing table 100: route all packets to localhost (=sslh)
58    ip route add local 0.0.0.0/0 dev lo table 100
59}
60
61sslh_stop()
62{
63    ip rule del fwmark 0x1 lookup 100
64    ip route del local 0.0.0.0/0 dev lo table 100
65    ${IPT} -t mangle -F FORWARD
66    ${IPT} -t mangle -F SSLH
67    ${IPT} -t mangle -X SSLH
68}
69
70sslh_flush()
71{
72    sslh_stop >/dev/null 2>&1
73    $IPT -t mangle -F
74    $IPT -t mangle -X
75}
76
77astart="${astart} sslh_start"
78astop="${astop} sslh_stop"
79aflush="${aflush} sslh_flush"
80
Note: See TracBrowser for help on using the repository browser.