Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
iptables -- masquerade VPN clients w/ transparent HTTP proxy
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
archnaid
n00b
n00b


Joined: 28 May 2017
Posts: 8

PostPosted: Sat Sep 16, 2017 2:26 pm    Post subject: iptables -- masquerade VPN clients w/ transparent HTTP proxy Reply with quote

Hi,

I have a server running Gentoo, which acts as a VPN server for roaming clients. My goal is to route clients' traffic through a transparent proxy, but so far I've been unsuccessful.

The current iptables config default blocks, allows and blocks some specific things (SSH, VPN, etc.), then masquerades VPN clients. This all generally works. But when I try to add a transparent HTTP proxy, nothing seems to pass through it. Even when I installed Lynx to test local connections, nothing gets logged by the proxy.

[edit] Some more info that's probably relevant:
server has one physical interface, eth0. VPN clients are put on the 10.100.0.0/24 address range. Main use of the VPN is to tunnel to internet. Just want to stick a proxy in between.

So, any advice for how to set this up?

Thanks so much!



This is what I'm doing to attempt the transparent proxy:
Code:

iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 8118
iptables -t nat -A PREROUTING -i tun0 -p tcp --dport 80 -j REDIRECT --to-port 8118



The full iptables setup (without the transparent proxy commands above) follows. Have tried to insert the proxying commands at different spots, understanding that order matters, still no luck. And yes, this config can probably be cleaned up or improved...
Code:

#!/bin/bash
### We'll be blocking everything ip6...

#### Clear  exisiting and reset counters
iptables --flush
iptables --delete-chain
iptables --zero

ip6tables --flush
ip6tables --delete-chain
ip6tables --zero


#### Default drop
iptables -P INPUT   DROP
iptables -P FORWARD DROP
iptables -P OUTPUT  DROP

ip6tables -P INPUT   DROP
ip6tables -P FORWARD DROP
ip6tables -P OUTPUT  DROP


##### CUSTOM CHAINS
# Icmp
iptables -N ICMP
iptables -A ICMP -m limit --limit 15/minute -j LOG --log-prefix "iptables-denied: Icmp: "
iptables -A ICMP -j DROP

# Bad Flags, Bogus etc.
iptables -N BOGUS
iptables -A BOGUS -m limit --limit 15/minute -j LOG  --log-prefix "iptables-denied: Bogus: "
iptables -A BOGUS -j DROP

# Lan Spoof
iptables -N LANSPOOF
iptables -A LANSPOOF -m limit --limit 15/minute -j LOG --log-prefix "iptables-denied: LanSpoof: "
iptables -A LANSPOOF -j DROP

# Loopback Spoof
iptables -N LOOPSPOOF
iptables -A LOOPSPOOF -m limit --limit 15/minute -j LOG --log-prefix "iptables-denied: LoopSpoof: "
iptables -A LOOPSPOOF -j DROP

# Final Firewall
iptables -N FIREWALL
iptables -A FIREWALL -m limit --limit 15/minute -j LOG --log-prefix "iptables-denied: Firewall: "
iptables -A FIREWALL -j DROP

# Forwards
iptables -N logFORWARD
iptables -A logFORWARD -j LOG --log-prefix "iptables-denied: FORWARD: "
iptables -A logFORWARD -j DROP


##### INPUT BLOCK ########################################################################
# Drop all ICMP unrelated ICMP
#iptables -A INPUT -p icmp -j ICMP
iptables -A INPUT -p icmp -m conntrack --ctstate NEW,INVALID -j ICMP

# LAN Spoof
iptables -A INPUT -i eth0 -s 192.168.0.0/24 -j LANSPOOF

# Loopback Spoof
iptables -A INPUT ! -i lo -s 127.0.0.0/8 -j LOOPSPOOF

# Fragments
iptables -A INPUT -f -j BOGUS

# Bogus packets
iptables -A INPUT -m conntrack --ctstate INVALID -j BOGUS
iptables -A INPUT -p tcp --tcp-flags FIN,ACK FIN -j BOGUS
iptables -A INPUT -p tcp --tcp-flags ACK,PSH PSH -j BOGUS
iptables -A INPUT -p tcp --tcp-flags ACK,URG URG -j BOGUS
iptables -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j BOGUS
iptables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j BOGUS
iptables -A INPUT -p tcp --tcp-flags FIN,RST FIN,RST -j BOGUS
iptables -A INPUT -p tcp --tcp-flags ALL ALL -j BOGUS
iptables -A INPUT -p tcp --tcp-flags ALL NONE -j BOGUS
iptables -A INPUT -p tcp --tcp-flags ALL FIN,PSH,URG -j BOGUS
iptables -A INPUT -p tcp --tcp-flags ALL SYN,FIN,PSH,URG -j BOGUS
iptables -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j BOGUS
iptables -A INPUT -m conntrack --ctstate NEW,RELATED -p tcp ! --tcp-flags ALL SYN -j BOGUS


##### INPUT ACCEPT ######################################################################
# Already established and related
iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

# Loopback
iptables -A INPUT -i lo -j ACCEPT

# SSH
iptables -A INPUT -i eth0 -p tcp --dport <some_port> -m state --state NEW,ESTABLISHED -j ACCEPT

# OpenVPN on the <profile_name>
iptables -A INPUT -i eth0 -p udp --dport <some_port> -m state --state NEW,ESTABLISHED -j LOG --log-prefix "iptables-passed: INPUT: "
iptables -A INPUT -i eth0 -p udp --dport <some_port> -m state --state NEW,ESTABLISHED -j ACCEPT


##### OUTPUT BLOCK #####################################################################
# Drop all ICMP
#iptables -A OUTPUT -p icmp -j ICMP

# Bogus packets
iptables -A OUTPUT -m conntrack --ctstate INVALID -j BOGUS


##### OUTPUT ACCEPT #####################################################################
# ICMP for ping, traceroute, etc.
iptables -A OUTPUT -p icmp -j ACCEPT

# Loopback
iptables -A OUTPUT -o lo -j ACCEPT

# Dns
iptables -A OUTPUT -p udp --dport 53 -j ACCEPT

# Services
iptables -A OUTPUT -p tcp --dport 80 -j ACCEPT
iptables -A OUTPUT -p tcp --dport 443 -j ACCEPT
#iptables -A OUTPUT -p tcp --dport 873 -j ACCEPT #rsync

# SSH
iptables -A OUTPUT -o eth0 -p tcp --sport <some_port> -m state --state ESTABLISHED -j ACCEPT
#iptables -A OUTPUT -o eth0 -p tcp --sport ssh -m state --state NEW,ESTABLISHED -j ACCEPT

# OpenVPN on the <profile_name>
#iptables -A OUTPUT -o eth0 -p udp -m state --state ESTABLISHED -j LOG --log-prefix "iptables-passed: OUTPUT: "
iptables -A OUTPUT -o eth0 -p udp -m state --state ESTABLISHED --sport <some_port> -j LOG --log-prefix "iptables-passed: OUTPUT: "
iptables -A OUTPUT -o eth0 -p udp -m state --state ESTABLISHED -j ACCEPT


##### FORWARD BLOCK ####################################################################
# log all the things!
iptables -A FORWARD -j logFORWARD

# Bogus Packets
iptables -A FORWARD -m conntrack --ctstate INVALID -j BOGUS


#### VPN specific stuff, should move it into the sections above...
#Allow traffic on the TUN interface
iptables -A INPUT -i tun0 -j ACCEPT
iptables -A FORWARD -i tun0 -j ACCEPT
iptables -A OUTPUT -o tun0 -j ACCEPT
# Allow forwarding traffic only from the VPN
iptables -A FORWARD -i tun0 -o eth0 -s 10.100.0.0/24 -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -t nat -A POSTROUTING -s 10.100.0.0/24 -o eth0 -j MASQUERADE


##### FINAL CATCH ALL ##########
iptables -A INPUT  -j FIREWALL
iptables -A OUTPUT -j FIREWALL
Back to top
View user's profile Send private message
archnaid
n00b
n00b


Joined: 28 May 2017
Posts: 8

PostPosted: Sun Sep 17, 2017 4:45 pm    Post subject: Reply with quote

Update;

Found some advice elsewhere that instead of using REDIRECT, use DNAT and explicitly state the redirect-to IP address. I'm not sure how this helps, but I set the proxy to listen on both 127.0.0.1 (as it was before) and to 10.100.0.1 (the VPN subnet). There's probably something I was misunderstanding about the implicit address that REDIRECT points to. It also indicates you must MASQUERADE due to the NAT. (source)


So, for the VPN...
Code:

iptables -t nat -A PREROUTING -i tun0 -p tcp --dport 80 -j DNAT --to 10.100.0.1:8118
iptables -t nat -A PREROUTING -i tun0 -p tcp --dport 443 -j DNAT --to 10.100.0.1:8118
iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE

At least this time I see some action. Webpages not using https are now captured by the proxy correctly (though some are extremely slow, seems like some third-party scripts and thinks are failing to connect, unsure why -- they also appear to be plain http, not https).
But those which do on 443 are lost to the ether. I do understand that you can't cache etc. on ssl connections, but was hoping to at least be able to do domain-based filtering. I suppose NAT/MASQUERADE might need to rewrite the destination IP address, and cannot? View from the client is just a time-out.

Local to the server, however... still missing the proxy completely, but able to load any page.
Code:

iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to 127.0.0.1:8118
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 443 -j DNAT --to 127.0.0.1:8118
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum