#!/bin/bashset -e# Set route_localnet = 1 on all interfaces so that ssl can

1. #!/bin/bash
2.  
3. set -e
4.  
5. # Set route_localnet = 1 on all interfaces so that ssl can use "localhost" as
6. # destination
7. sysctl -w net.ipv4.conf.default.route_localnet=1
8. sysctl -w net.ipv4.conf.all.route_localnet=1
9.  
10. # DROP martian packets as they would have been if route_localnet was zero
11. # Note: packets not leaving the server aren't affected by this, thus sslh/stunnel will
12. # still work
13. iptables -t raw -A PREROUTING ! -i lo -d 127.0.0.0/8 -j DROP
14. iptables -t mangle -A POSTROUTING ! -o lo -s 127.0.0.0/8 -j DROP
15.  
16. # Mark all connections made by ssl for special treatment (here stunnel connects to 127.1.1.1)
17. iptables -t nat -A OUTPUT -d 127.1.1.1 -p tcp --tcp-flags FIN,SYN,RST,ACK SYN -j CONNMARK --set-xmark 0x01/0x0f
18.  
19. # Outgoing packets that should go to sslh/stunnel instead have to be rerouted, so mark
20. # them accordingly (copying over the connection mark)
21. iptables -t mangle -A OUTPUT ! -o lo -p tcp -m connmark --mark 0x01/0x0f -j CONNMARK --restore-mark --mask 0x0f
22.  
23. # Configure routing for those marked packets
24. ip rule add fwmark 0x1 lookup 100
25. ip route add local 0.0.0.0/0 dev lo table 100