2

I'm looking for some help regarding an stunnel configuration I'm working on. Basically I want to have a DMZ machine accept inbound connections to port 80 and 110, and then forward them through my firewall on port 22 to a machine that will then forward the traffic to port 80 and 110 locally. Is this even possible?

Basically I would have this on my DMZ:

[http]
listen = localhost:80
connect = server:22
cert = cert.pem

[pop3]
listen = localhost:110
connect = server:22
cert = cert.pem

And on my server I would have:

[http]
listen = localhost:22
connect = localhost:80

[pop3]
listen = localhost:22
connect = localhost:110

Does this make any sense? Port 22 is already open on my firewall and I don't want to have to open 2 more ports.

Any info would be greatly appreciated...

Thanks!

user206200
  • 21
  • 1
  • 2

3 Answers3

3

You can maybe use stunnel in addition with sslh : http://www.rutschle.net/tech/sslh.shtml

sslh is a little program that analyse the protocol and redirect the package according to the protocol.

According to the man page:

Probes for HTTP, SSL, SSH, OpenVPN, tinc, XMPP are implemented, and any other protocol that can be tested using a regular expression, can be recognised.

a configuration file example is available at /usr/share/doc/sslh/examples/example.cfg (debian)

this might look like this in the end (I didn't test it):

verbose: true;
foreground: true;
inetd: false;
numeric: false;
transparent: false;
timeout: 2;
user: "nobody";
pidfile: "/var/run/sslh.pid";

listen:
(
    { host: "localhost"; port: "SOME_PORT"; }
);

protocols:
(
    { name: "http"; host: "localhost"; port: "80"; probe: "builtin"; },
    { name: "pop3"; host: "localhost"; port: "110"; probe: [ INSERT_REGEXP_IDENTIFYING_POP3_PACKETS_HERE ]; }
);

your stunnel server.conf would become:

...
[sslh]
listen = localhost:22
connect = localhost:PORT_SSLH_IS_LISTENING_ON
Tomtix
  • 31
  • 1
2

Sure, it's possible, but it doesn't really involve stunnel at all.

You could set up an SSH tunnel between your DMZ machine and your internal host. Something like:

on_dmz_host# ssh -L 80:localhost:80 -L 110:localhost:110 internal_server

This tells ssh to forward port 80 on your DMZ host to port 80 on your internal server, and similarly for port 110. The connections all travel over the ssh connection on port 22 so this does not require opening up any additional ports.

You could also accomplish the same thing with a point-to-point VPN (OpenVPN is good for this, for example), although honestly just opening up the ports on the firewall is simpler.

larsks
  • 41,276
  • 13
  • 117
  • 170
  • i have done both of these (ssh and openvpn) before and they work. they can be configured to use the port you prefer. – Skaperen Jul 07 '15 at 09:29
1

Unless stunnel has some way of differentiating which traffic is which protocol (which I doubt), this won't work. You'll have to open one more port on your firewall.

Jim G.
  • 2,607
  • 1
  • 18
  • 19