[sslh] Making Transparent Proxy work without iptables

Sean Warner plica2006 at gmail.com
Mon Apr 23 14:50:37 UTC 2018



Just in case anyone is interested.. especially those, like me, not very
experienced with linux. Here is my set up that got transparent proxy support
working without using the iptables firewall. Instead it just uses the linux
kernel IP routing table.


Commands to set up (and remove) the route and rules are added to the sslh
systemd service so they are created when sslh starts and removed when sslh
stops. Any feedback about whether it is safe or wise to do it this way much
appreciated! I use a raspberry pi running Raspbian which is like Debian
Stretch. sslh, apache2 and sshd are all running on the same Pi which is
connected by ethernet cable to my router.


Update the systemd sslh.service file:


# systemctl stop sslh

# nano /lib/systemd/system/sslh.service



Description=SSL/SSH multiplexer





ExecStart=/usr/local/sbin/sslh -F /etc/sslh/sslh.cfg



# Set routing rules/route automatically on sslh service start



# Add the ip rules and route to enable Transparent Proxy

ExecStartPre=/sbin/ip rule add fwmark 0x1 lookup 100

ExecStartPre=/sbin/ip route add local dev lo table 100

ExecStartPre=/sbin/ip rule add from table 100

ExecStartPre=/sbin/ip route flush cache


# Remove the ip rules and route to enable Transparent Proxy

ExecStopPost=/sbin/ip rule del fwmark 0x1 lookup 100

ExecStopPost=/sbin/ip route del local dev lo table 100

ExecStopPost=/sbin/ip rule del from table 100

ExecStopPost=/sbin/ip route flush cache





Update the sslh configuration file:


# nano /etc/sslh/sslh.cfg


verbose: false;

foreground: true;

inetd: false;

numeric: true;

transparent: true;

timeout: 2;

user: "sslh";

pidfile: "/var/run/sslh.pid";

chroot: "/var/empty";


# Change hostname with your external address name.



{ host: ""; port: "4433"; }



# this solution was recommended from: wiki.techunit.org/SSLH



        { name: "ssh"; service: "ssh"; host: ""; port: "1022";
log_level: 1; },

        { name: "ssl"; host: ""; port: "444"; log_level: 1; }



In my setup sslh is installed on machine with ip: and listens
on port 4433. I set up port forwarding on my router from external port 443
to internal port 4433. sslh sends de-multiplexed traffic to the web server
on port 444 and ssh server on port 1021 addressing them as though they are
on ip address: I don't know if this is a good strategy or if
something might break this solution.


I added port 1022 to sshd config: /etc/ssh/sshd_config and in apache2 I
updated ports.conf like this:





Listen 80


<IfModule ssl_module>

Listen 443



<IfModule mod_gnutls.c>

Listen 443




Listen 80


<IfModule ssl_module>

Listen 443




<IfModule mod_gnutls.c>

Listen 443




I also duplicated the Virtualhost definitions for my website. one starts
with <VirtualHost> and the other with <VirtualHost
_default_:443> This makes apache2 listen on ports 444 and 443. With sslh
running web traffic goes to apache on port 444 but if I want to turn off
sslh for some reason then I only have to switch the port forwarding in my


I am using a binary that I compiled from sources and enabled USELIBCAP so
sslh runs as the unpriviledged user: sslh but magically gives itself the
cap_net_admin capability for transparent proxy support. That's another thing
I don't really understand but at least it works!



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://rutschle.net/pipermail/sslh/attachments/20180423/836bfbfd/attachment.html>

More information about the sslh mailing list