diff options
author | Jason A. Donenfeld <Jason@zx2c4.com> | 2012-02-17 05:42:27 +0100 |
---|---|---|
committer | Jason A. Donenfeld <Jason@zx2c4.com> | 2012-02-17 05:42:27 +0100 |
commit | ef16ce6f9a6d105f1761297bfc8c18b98f7fcdbe (patch) | |
tree | eed33be0f0d133e625da613eb954b53969acb888 | |
parent | Debug it a little. (diff) | |
download | stunnel-interceptor-ef16ce6f9a6d105f1761297bfc8c18b98f7fcdbe.tar.xz stunnel-interceptor-ef16ce6f9a6d105f1761297bfc8c18b98f7fcdbe.zip |
Major changes.
-rwxr-xr-x | intercept-iptables.sh | 80 |
1 files changed, 37 insertions, 43 deletions
diff --git a/intercept-iptables.sh b/intercept-iptables.sh index 2bb01b1..404fec2 100755 --- a/intercept-iptables.sh +++ b/intercept-iptables.sh @@ -2,7 +2,7 @@ # File stdin format: # -# sourceIP basePort1 basePort2 +# sourceIP basePort shouldInsertProxyGap # interceptedIP interceptedPort interceptedDomain # interceptedIP interceptedPort interceptedDomain # interceptedIP interceptedPort interceptedDomain @@ -11,19 +11,23 @@ # ... # # Sample: -# 192.168.0.4 9000 10000 +# 192.168.0.4 9000 true # 123.48.12.122 443 googblie.com # 123.48.12.128 143 schmooblie.com # 123.43.12.112 587 lars.mooblie.com set -e -read localBase -sourceIP="$(cut -f 1 <<< "$localBase")" -localBasePort1="$(cut -f 2 <<< "$localBase")" -localBasePort2="$(cut -f 3 <<< "$localBase")" +read sourceIP localBasePort proxyGap +if $proxyGap; then + counterSpace=3 +else + counterSpace=2 +fi +deleteAfter=true if [ "$1" != "" ]; then stunnelConfigDir="$1" + deleteAfter=false else stunnelConfigDir="$(mktemp -d)" fi @@ -38,55 +42,44 @@ iptables -t nat -F if [ ! -f ./demoCA/private/cakey.pem ]; then echo "[+] Generating ca certificate." - subj=" - C=CR - ST=ST - O=ACME - localityName=TOWN - commonName=THECN - organizationalUnitName=INTERCEPT - emailAddress=$(whoami)@$(uname -n)" mkdir -p demoCA/{certs,crl,newcerts,private} echo 01 > demoCA/serial touch demoCA/index.txt - openssl req -new -x509 -keyout demoCA/private/cakey.pem -out demoCA/cacert.pem -days 3652 -passout pass:1234 -subj "$(tr -d '\t' <<< "$subj" | tr "\n" "/")" + openssl req -new -x509 -keyout demoCA/private/cakey.pem -out demoCA/cacert.pem -days 3652 -passout pass:1234 -subj \ + "/C=CR/ST=ST/O=ACME/localityName=TOWN/commonName=THECN/organizationalUnitName=INTERCEPT/emailAddress=$(whoami)@$(uname -n)" openssl pkcs12 -passin pass:1234 -passout pass:1234 -export -in demoCA/cacert.pem -inkey demoCA/private/cakey.pem -out cacert.p12 fi counter=0 -while read line; do - remoteIP="$(cut -f 1 <<< "$line")" - remotePort="$(cut -f 2 <<< "$line")" - remoteDomain="$(cut -f 3 <<< "$line")" - localPort1="$(($localBasePort1 + $counter))" - localPort2="$(($localBasePort2 + $counter))" +while read remoteIP remotePort remoteDomain; do + localPort1="$(($localBasePort + $counter * $counterSpace + 0))" + localPort2="$(($localBasePort + $counter * $counterSpace + 1))" + if $proxyGap; then + localPort3="$(($localBasePort + $counter * $counterSpace + 2))" + else + localPort3="$localPort2" + fi serverConfig="server-$counter.conf" clientConfig="client-$counter.conf" - echo "[+] Configuring iptables to redirect $remoteIP:$remotePort <--> incoming:$localPort1" + echo "[+] Configuring iptables to redirect:" + echo -e "\t$remoteIP:$remotePort <--our key--> incoming:$localPort1" iptables -t nat -A PREROUTING -p TCP --source "$sourceIP" --destination "$remoteIP" --dport "$remotePort" -j REDIRECT --to-port "$localPort1" if [ ! -f "$remoteDomain.pem" ]; then - echo "[+] Generating host certificate." - subj=" - C=CR - ST=ST - O=ACME - localityName=TOWN - commonName=$remoteDomain - organizationalUnitName=INTERCEPT - emailAddress=$(whoami)@$(uname -n)" - openssl req -new -keyout ./$remoteDomain.req -out ./$remoteDomain.req -days 3652 -passout pass:1234 -passin pass:1234 -subj "$(tr -d '\t' <<< "$subj" | tr "\n" "/")" + echo "[+] Generating host certificate for $remoteDomain." + openssl req -new -keyout ./$remoteDomain.req -out ./$remoteDomain.req -days 3652 -passout pass:1234 -passin pass:1234 -subj \ + "/C=CR/ST=ST/O=ACME/localityName=TOWN/commonName=$remoteDomain/organizationalUnitName=INTERCEPT/emailAddress=$(whoami)@$(uname -n)" echo -e "y\ny"|openssl ca -passin pass:1234 -policy policy_anything -out $remoteDomain.crt -infiles $remoteDomain.req openssl rsa -passin pass:1234 < $remoteDomain.req > $remoteDomain.key cat $remoteDomain.crt $remoteDomain.key > $remoteDomain.pem fi - echo "[+] Writing stunnel config for incoming:$localPort1 <--> localhost:$localPort2" + echo "[+] Writing stunnel config for:" + echo -e "\tincoming:$localPort1 <--no key--> localhost:$localPort2" + echo -e "\tlocalhost:$localPort3 <--their key--> $remoteIP:$remotePort" echo " foreground=no debug=7 - socket=l:TCP_NODELAY=1 - socket=r:TCP_NODELAY=1 cert=$remoteDomain.pem output="$serverConfig.log" pid="$(pwd)/$serverConfig.pid" @@ -95,23 +88,24 @@ while read line; do connect=127.0.0.1:$localPort2" > "$serverConfig" echo " foreground=no debug=7 - socket=l:TCP_NODELAY=1 - socket=r:TCP_NODELAY=1 client=yes output="$clientConfig.log" pid="$(pwd)/$clientConfig.pid" [client] - accept=127.0.0.1:$localPort2 + sslVersion=SSLv3 + accept=127.0.0.1:$localPort3 connect=$remoteIP:$remotePort" > "$clientConfig" - echo "[+] Starting server-$counter" + echo "[+] Starting server-$counter." stunnel "$serverConfig" - echo "[+] Starting client-$counter" + echo "[+] Starting client-$counter." stunnel "$clientConfig" counter="$(($counter + 1))" done -cd - > /dev/null -#rm -rf "$stunnelConfigDir" -echo $stunnelConfigDir +if $deleteAfter; then + echo "[+] Cleaning up." + cd - > /dev/null + rm -rf "$stunnelConfigDir" +fi
\ No newline at end of file |