What is a port multiplexer?

Linux/Linux Tutorials

Well, glad you asked. A port multiplexerbasically allows you to run multiple services on one port. This can be useful for many people, and I personally use a multiplexer called sslh. I use a port multiplexer to run my website, SSH, and OpenVPN on port 443, a port that firewalls very rarely block. sslh works by listening on one port, and depending on the traffic, forwarding it to another, non-standard port. This means that people outside your server have no idea a port multiplexer is being used.

The biggest problem I have with port multiplexers is the fact that they make all the traffic appear to come from localhost, not the originating IP address. The easiest way to get around this is to simply make sure you have a transparent multiplexer, as it makes the traffic appear to come from the real ip address.

Anyways, here’s how to install and configure it on Ubuntu:

 

First, install it with:

 sudo apt install sslh

Then, you need to configure a few settings, so edit the sslh config file:

 sudo nano /etc/default/sslh

And find the line that has:

 DAEMON_OPTS=

Now, in between the quotes, add something like:

 --user sslh --transparent -f --listen (your external IP):80 --listen (your external IP):443  --ssh (your external IP):22 --openvpn (your external IP):1194 --ssl (your external IP):4433 --http (your external IP):8080 --pidfile /var/run/sslh/sslh.pid

to configure a transparent proxy. The above config will listen on ports 80 and 443, and forward SSH to port 22, OpenVPN to port 1194, SSL to port 4433, and HTTP to port 8080. Change it to the ports you want, and then set up the iptables config like:

sudo iptables -t mangle -N SSLH
sudo iptables -t mangle -A OUTPUT --protocol tcp --out-interface ens3 --sport 22 --jump SSLH
sudo iptables -t mangle -A OUTPUT --protocol tcp --out-interface ens3 --sport 4433 --jump SSLH
sudo iptables -t mangle -A OUTPUT --protocol tcp --out-interface ens3 --sport 1194 --jump SSLH
sudo iptables -t mangle -A OUTPUT --protocol tcp --out-interface ens3 --sport 8080 --jump SSLH
sudo iptables -t mangle -A SSLH --jump MARK --set-mark 0x1
sudo iptables -t mangle -A SSLH --jump ACCEPT
sudo ip rule add fwmark 0x1 lookup 100
sudo ip route add local 0.0.0.0/0 dev lo table 100

and be sure to change your interface and ports if you need to.

Sources: GitHub

Leave a Reply