-
Notifications
You must be signed in to change notification settings - Fork 373
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Added another file, discussing three possible setup scenarios, which
should cover up all setups. Changes to be committed: new file: scenarios-for-simple-transparent-proxy.md modified: simple_transparent_proxy.md new file: sslh-examples-v1.png
- Loading branch information
1 parent
f4eea87
commit 6526285
Showing
3 changed files
with
51 additions
and
2 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,47 @@ | ||
| # Three Scenarios for the simple transparent proxy setup # | ||
|
|
||
|  | ||
|
|
||
| ## Introduction ## | ||
| The first example is the configuration, which was described in the previousd document. I omitted the loopback interface "lo" in those diagrams, trying not no overload the picture. | ||
| The connections have two different endings, showing the direction of the opening connection (SYN flag) and the answer connection (SYN-ACK flags). This is important, as the traffic in the transparent proxy setup flows somewhat unexpected. | ||
|
|
||
| ## Example 1 ## | ||
| The first example shows the setup, which is described in the [previous document](./simple_transparent_proxy.md). You see the Client connecting to sslh (red connection). When sslh accepts this connection, the SYN-ACK packet is send back to the client, which sends the first data packet(s) together with the ACK for the SYN-ACK. So the bidirectional tcp connection is fully open. | ||
| Sslh opens now the blue connection to sshd and needs for that elevation rights, as it uses the clients IP address as its own address for opening this connection. Now things are becoming complicated: Sshd send back the first packet with SYN-ACK flags (green line), addressed to the clients IP (dotted line). As already described, that would go wrong, so our routing trick makes this packet beeing deflected back to sslh, so this tcp connection is also opened. But we have here now an asymetric behaviour, that the read and write pathes of the tcp connection are going different routes. | ||
| The sslh process shuffles now all the bytes coming from sshd from the green line to the red line, vice versa for the packets from the client. | ||
|
|
||
| ## Example 2 ## | ||
| In this example sshd is running on another server. No matter, if this is docker, kvm, virtualbox or another physical host, connected with an ethernet cable. Here we need no dummy interface, so we need another way, to configure our routing deflection. The principle is the same: We need to force packets coming back from sshd going to sslh and not directly back to the client. | ||
| In this case its your decision, where those rules will be tied in, options are: | ||
|
|
||
| * the startscript of sslh | ||
| * the docker or kvm configuration | ||
| * the configuration of the outgoing interface | ||
|
|
||
| Its two lines you need: | ||
| ``` | ||
| ip rule add from SSHD_ADDRESS/32 table sslh | ||
| ip route add local 0.0.0.0/0 dev lo table sslh | ||
| ``` | ||
| On the sshd host, we need no additional rules, as all traffic is coming back to our sslh host, because this is in this setting the default gateway. The only thing, we need to do: Assign a unique IP address only for sshd and all other services, you wish to hide behind sslh and host on this device. | ||
|
|
||
| There are two ways, how you can add multiple ip addresses to one device. The new _**ip addr add**_ supports multiple add statements to one and the same interface name. So you can just duplicate the interface stancas in the _**/etc/network/interfaces**_ configuration. The problem with this method is, that some older managment tools, like ifconfig are unable to show the additional addresses. So when you are used to some older tools, you may configure sub-interfaces like eth0:1. | ||
| However my recommendation is, migrate to new tools, get used to it, as old tools don't show you the whole configuration! | ||
|
|
||
| ## Example 3 ## | ||
| This is now the extended version of the previous example. The target host has another path back to the client, as there is a default route to another interface. Now we need **TWO** routing deflections, one on the sslh host, like in scenario 2, and one on the sshd target host. | ||
| The routing setup on the target host looks like: | ||
| * Add an routing table name for the deflection table in _**/etc/iproute2/rt_tables**_ | ||
| * Find a location, where you will hook the two routing rules in | ||
| ``` | ||
| ip rule add from SSHD_ADDRESS/32 table sslh_routeback | ||
| ip route add default via SERVER1_ETH1_IP dev eth0 table sslh_routeback | ||
| ``` | ||
| This is setting up a default route for all traffic, originating from the ip address sshd (or any other service) is using, back to the host, hosting sslh. On that host, those packets will be deflected again with the same rule from scenario 2. | ||
|
|
||
| ## Modifications ## | ||
| Now you can think about many modifications, but the tools will be the same, for all other thinkable scenarios. You must always make sure, that packets from foreign hosts, will find their way back to the sslh host. So if the chain consists of three or four servers, all need the deflection rules. | ||
|
|
||
|
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.