stunnel - TLS offloading and load-balancing proxy

stunnel accepts no connection, nothing in the logs

Situation :

Details :

Stuff that was not perfectly configured but not the cause of this behavior either

  • certificates
  • having a DNS or /etc/hosts entry to reverse lookup the listening address 123.45.67.89

Solution :

That was a pretty stupid one : I had an iptables rule specifically dropping all packets to 123.45.67.89:1234 ()
  1. list all rules (source) :
    iptables -L -n -v
    (this gives details about interfaces)
    Chain INPUT (policy ...)
    ...
    
    Chain FORWARD (policy ...)
    ...
    
    Chain OUTPUT (policy ACCEPT 448 packets, 58769 bytes)
    pkts	bytes	target	prot	opt	in	out	source		:destination
    0	0	ACCEPT	all	--	*	lo	0.0.0.0/0	0.0.0.0/0	owner GID match 2000		the last field is the rule parameters, not a comment
    0	0	DROP 	tcp	--	*	lo	0.0.0.0/0	0.0.0.0/0	tcp dpt:1234			(idem)
  2. flush everything (source) :
    iptables -P INPUT ACCEPT; iptables -P FORWARD ACCEPT; iptables -P OUTPUT ACCEPT; iptables -t nat -F; iptables -t mangle -F; iptables -F; iptables -X
  3. test the network connectivity :
    nc -vz 123.45.67.89 1234
    stunnel [123.45.67.89] 1234 (?) open
  4. test the TLS connectivity :
    openssl s_client -connect 123.45.67.89:1234

More about iptables

In the rule defined above, as well as in /etc/iptables/rules.v4 (which can be restored with iptables-restore < /etc/iptables/rules.v4) :

*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A OUTPUT -o lo -m owner --gid-owner 2000 -j ACCEPT
-A OUTPUT -o lo -p tcp -m tcp --dport 1234 -j DROP
COMMIT
the TCP port 1234 appears as a destination and is actually filtered, although it's the entry point of my stunnel. Why ???

That's because iptables analyzes packets as they pass, and those going into the tunnel are actually heading to '123.45.67.89:1234'

stunnel

Configuration

flag usage
debug=level

Actions

sysVinit systemd
start /etc/init.d/stunnel4 start systemctl start stunnel4
view logs less /var/log/stunnel4/stunnel.log journalctl -u stunnel4
I've seen stunnel logging in /var/log/stunnel4/stunnel.log even though handled by systemd. This _may_ be because of a transitional situation where systemd actually fires sysVinit scripts
https://charlesreid1.com/wiki/Stunnel/Client
https://charlesreid1.com/wiki/Stunnel/Troubleshooting
https://bbs.archlinux.org/viewtopic.php?id=101866
http://edunham.net/2016/01/09/troubleshooting_stunnel.html