Squid SSL transparent proxy - ssl-certificate

It just doesn't work, does it?
Firefox OK after installing the .pem file, but other applications not working.
Converted the .pem file to a .crt using
# openssl x509 -outform der -in myCA.pem -out myCA.crt
and installed it as a Trusted Root Certification Autnorities in certlm but still lots of things not working: Outlook, Teams, GoogleDrive,...

It seems to be very unreliable.
This is the configuration (from https://elatov.github.io/2019/01/using-squid-to-proxy-ssl-sites/) that's got Squid working. I have no idea why -- I just got lucky.
acl step1 at_step SslBump1
ssl_bump peek step1
ssl_bump bump all
ssl_bump splice all
with
the .pem in the browser as an Authority, and
the .crt in Windows as a Trusted Root Certification Authorities.
For the exceptions the best approach is to not send them to Squid in the first place. Using the -d flag with a domain name in the iptables command simply resolves it to an IP address at the time the command therefore it's better to maintain an ipset that iptables can reference.
Here is my script for maintaining my ipset with the domains in a text file.
The idea is that this can be run as a cron job to pick up new domains and update the map to IP addresses.
#!/bin/sh
## Bypass Squid
ipset -L no-proxy >/dev/null 2>&1
if [ $? -ne 0 ]; then
echo "Creating ipset: no-proxy."
ipset create no-proxy hash:ip
fi
ipset flush no-proxy
if [ -f "/etc/squid/no-proxy-iptables.txt" ]; then
for domain in $(cat /etc/squid/no-proxy-iptables.txt); do
for address in $( dig a $domain +short | grep -P -e '^(\d{1,3}\.){3}\d{1,3}$' ); do
echo $domain " -> " $address
ipset add no-proxy $address
done
done
else
echo "File doess not exist: /etc/squid/no-proxy-iptables.txt"
fi
And here is my firewall script:
#!/bin/sh
iptables -t nat -F
iptables -t mangle -F
iptables -F # Does NOT flush everything! Hence the other three commands.
iptables -X
# Squid: exceptions
ipset -L no-proxy >/dev/null 2>&1
if [ $? -eq 0 ]; then
echo "Using ipset: no-proxy."
iptables -t nat -A PREROUTING -i br0 -m set --match-set no-proxy dst -j ACCEPT
fi
# Squid: HTTP
iptables -t nat -A PREROUTING -i br0 -p tcp --dport 80 -j DNAT --to 192.168.1.31:3128
iptables -t nat -A PREROUTING -i br0 -p tcp --dport 80 -j REDIRECT --to-port 3128
# Squid: HTTPS
iptables -t nat -A PREROUTING -i br0 -p tcp --dport 443 -j DNAT --to 192.168.1.31:3129
iptables -t nat -A PREROUTING -i br0 -p tcp --dport 443 -j REDIRECT --to-port 3129
# IP masquerade
iptables -A FORWARD -o wlan0 -i br0 -s 192.168.1.0/24 -m conntrack --ctstate NEW -j ACCEPT
iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -t nat -F POSTROUTING
iptables -t nat -A POSTROUTING -o wlan0 -j MASQUERADE
iptables -t nat -A POSTROUTING -o enp0s6f1u2 -j MASQUERADE
# echo 1 > /proc/sys/net/ipv4/ip_forward
iptables-save > /etc/iptables/rules.v4
You seem to be able to get a good guess at what domains to bypass by keeping an eye on the network tab in the browser dev tools.

Related

Proxmox-VE 6 / PFSense, Problems with the iptables

I have been trying for some time to configure my Proxmox with a PFSense VM filtering internet traffic to my other VMs.
So far I have managed to install PFSense and configure the Proxmox interfaces. I have also managed to go to the PFSense web interface. However, my VMs do not always have access to the internet, so I try to modify my iptables to manage to redirect all the traffic on PFSense.
Here are my interfaces:
interfaces
On the shell I did this operation :
cat > /root/pfsense-route.sh << EOF
#!/bin/sh
## IP forwarding activation echo 1 > /proc/sys/net/ipv4/ip_forward
## Rediriger les paquets destinés au LAN pour l'interface WAN de la PFSense ip route change 192.168.9.0/24 via 10.0.0.2 dev vmbr1 EOF
And I modified the file /etc/hosts :
[...]
auto vmbr2
iface vmbr2 inet static
address 192.168.9.1/24
bridge-ports none
bridge-stp off
bridge-fd 0
post-up /root/pfsense-route.sh
#LAN
And now the heart of the problem, the iptables. Here is my current file :
#!/bin/sh
# ---------
# VARIABLES
# ---------
## Proxmox bridge holding Public IP
PrxPubVBR="vmbr0"
## Proxmox bridge on VmWanNET (PFSense WAN side)
PrxVmWanVBR="vmbr1"
## Proxmox bridge on PrivNET (PFSense LAN side)
PrxVmPrivVBR="vmbr2"
## Network/Mask of VmWanNET
VmWanNET="10.0.0.0/30"
## Network/Mmask of PrivNET
PrivNET="192.168.9.0/24"
## Network/Mmask of VpnNET
VpnNET="10.2.2.0/24"
## Public IP => Your own public IP address
PublicIP="91.121.134.145"
## Proxmox IP on the same network than PFSense WAN (VmWanNET)
ProxVmWanIP="10.0.0.1"
## Proxmox IP on the same network than VMs
ProxVmPrivIP="192.168.9.1"
## PFSense IP used by the firewall (inside VM)
PfsVmWanIP="10.0.0.2"
# ---------------------
# CLEAN ALL & DROP IPV6
# ---------------------
### Delete all existing rules.
iptables -F
iptables -t nat -F
iptables -t mangle -F
iptables -X
### This policy does not handle IPv6 traffic except to drop it.
ip6tables -P INPUT DROP
ip6tables -P OUTPUT DROP
ip6tables -P FORWARD DROP
# --------------
# DEFAULT POLICY
# --------------
### Block ALL !
iptables -P OUTPUT DROP
iptables -P INPUT DROP
iptables -P FORWARD DROP
# ------
# CHAINS
# ------
### Creating chains
iptables -N TCP
iptables -N UDP
# UDP = ACCEPT / SEND TO THIS CHAIN
iptables -A INPUT -p udp -m conntrack --ctstate NEW -j UDP
# TCP = ACCEPT / SEND TO THIS CHAIN
iptables -A INPUT -p tcp --syn -m conntrack --ctstate NEW -j TCP
# ------------
# GLOBAL RULES
# ------------
# Allow localhost
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
# Don't break the current/active connections
iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
# Allow Ping - Comment this to return timeout to ping request
iptables -A INPUT -p icmp --icmp-type 8 -m conntrack --ctstate NEW -j ACCEPT
# --------------------
# RULES FOR PrxPubVBR
# --------------------
### INPUT RULES
# ---------------
# Allow SSH server
iptables -A TCP -i \$PrxPubVBR -d \$PublicIP -p tcp --dport 22 -j ACCEPT
# Allow Proxmox WebUI
iptables -A TCP -i \$PrxPubVBR -d \$PublicIP -p tcp --dport 8006 -j ACCEPT
### OUTPUT RULES
# ---------------
# Allow ping out
iptables -A OUTPUT -p icmp -j ACCEPT
### Proxmox Host as CLIENT
# Allow HTTP/HTTPS
iptables -A OUTPUT -o \$PrxPubVBR -s \$PublicIP -p tcp --dport 80 -j ACCEPT
iptables -A OUTPUT -o \$PrxPubVBR -s \$PublicIP -p tcp --dport 443 -j ACCEPT
# Allow DNS
iptables -A OUTPUT -o \$PrxPubVBR -s \$PublicIP -p udp --dport 53 -j ACCEPT
### Proxmox Host as SERVER
# Allow SSH
iptables -A OUTPUT -o \$PrxPubVBR -s \$PublicIP -p tcp --sport 22 -j ACCEPT
# Allow PROXMOX WebUI
iptables -A OUTPUT -o \$PrxPubVBR -s \$PublicIP -p tcp --sport 8006 -j ACCEPT
### FORWARD RULES
# ----------------
### Redirect (NAT) traffic from internet
# All tcp to PFSense WAN except 22, 8006
iptables -A PREROUTING -t nat -i \$PrxPubVBR -p tcp --match multiport ! --dports 22,8006 -j DNAT --to \$PfsVmWanIP
# All udp to PFSense WAN
iptables -A PREROUTING -t nat -i \$PrxPubVBR -p udp -j DNAT --to \$PfsVmWanIP
# Allow request forwarding to PFSense WAN interface
iptables -A FORWARD -i \$PrxPubVBR -d \$PfsVmWanIP -o \$PrxVmWanVBR -p tcp -j ACCEPT
iptables -A FORWARD -i \$PrxPubVBR -d \$PfsVmWanIP -o \$PrxVmWanVBR -p udp -j ACCEPT
# Allow request forwarding from LAN
iptables -A FORWARD -i \$PrxVmWanVBR -s \$VmWanNET -j ACCEPT
### MASQUERADE MANDATORY
# Allow WAN network (PFSense) to use vmbr0 public adress to go out
iptables -t nat -A POSTROUTING -s \$VmWanNET -o \$PrxPubVBR -j MASQUERADE
# --------------------
# RULES FOR PrxVmWanVBR
# --------------------
### Allow being a client for the VMs
iptables -A OUTPUT -o \$PrxVmWanVBR -s \$ProxVmWanIP -p tcp -j ACCEPT
For now with this I still manage to go on my VMs in proxmox, but I’m not internet access on it. Moreover, the shell of my server is no longer accessible on proxmox and SSH connections are no longer accessible.
Some details:
I use port 22 as ssh port
My server ip is 91.121.134.145
My version of linux is Debian 10 (Buster)
Honestly I don’t know where the problem comes from, I’m a beginner and I find the majority of this configuration on the internet. If you see what is wrong I would be very happy to have the answer! In the meantime I thank you in advance for your reading and your answers!
Edit :
I tried to pass the iptables in legacy mode using these commands :
update-alternatives --set iptables /usr/sbin/iptables-legacy
update-alternatives --set ip6tables /usr/sbin/ip6tables-legacy
update-alternatives --set ebtables /usr/sbin/ebtables-legacy
Only this command to refuse to work :
update-alternatives --set arptables /usr/sbin/arptables-legacy
Moreover I don’t know why but my VMs have good access to the internet, the problem is therefore centered on the SSH port that no longer works (I can no longer go on the shell since proxmox)

Iptables setting seem to block all traffic

I am trying to set up iptables to allow SSH port only from outside and all traffic from inside. Also, I'm trying to set some rules to prevent some basic DOS attacks. How do I manage the iptables rules properly?
I installed a Debian VM on VirtualBox where I set up a local static ip such as 10.0.2.3/30. I changed the SSH default port from 22 to 2222. I can connect to SSH from outside after setting up port forwarding on VirtualBox using NAT with 127.0.0.1 port 2222 on Host and 10.0.2.3 port 2222 on Client. So far so good.
Now I tried to set up firewall and DOS protection with iptables using the help of this guide such as I wrote the following script also using the kernel settings as described in the article.
sudo iptables -P INPUT DROP
### 1: Drop invalid packets ###
#sudo iptables -t mangle -A PREROUTING -m conntrack --ctstate INVALID -j DROP
### 2: Drop TCP packets that are new and are not SYN ###
#sudo iptables -t mangle -A PREROUTING -p tcp ! --syn -m conntrack --ctstate NEW -j DROP
### 3: Drop SYN packets with suspicious MSS value ###
sudo iptables -t mangle -A PREROUTING -p tcp -m conntrack --ctstate NEW -m tcpmss ! --mss 536:65535 -j DROP
### 4: Block packets with bogus TCP flags ###
sudo iptables -t mangle -A PREROUTING -p tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
sudo iptables -t mangle -A PREROUTING -p tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
sudo iptables -t mangle -A PREROUTING -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
sudo iptables -t mangle -A PREROUTING -p tcp --tcp-flags FIN,RST FIN,RST -j DROP
sudo iptables -t mangle -A PREROUTING -p tcp --tcp-flags FIN,ACK FIN -j DROP
sudo iptables -t mangle -A PREROUTING -p tcp --tcp-flags ACK,URG URG -j DROP
sudo iptables -t mangle -A PREROUTING -p tcp --tcp-flags ACK,FIN FIN -j DROP
sudo iptables -t mangle -A PREROUTING -p tcp --tcp-flags ACK,PSH PSH -j DROP
sudo iptables -t mangle -A PREROUTING -p tcp --tcp-flags ALL ALL -j DROP
sudo iptables -t mangle -A PREROUTING -p tcp --tcp-flags ALL NONE -j DROP
sudo iptables -t mangle -A PREROUTING -p tcp --tcp-flags ALL FIN,PSH,URG -j DROP
sudo iptables -t mangle -A PREROUTING -p tcp --tcp-flags ALL SYN,FIN,PSH,URG -j DROP
sudo iptables -t mangle -A PREROUTING -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
### 6: Drop ICMP (you usually don't need this protocol) ###
sudo iptables -t mangle -A PREROUTING -p icmp -j DROP
### 7: Drop fragments in all chains ###
sudo iptables -t mangle -A PREROUTING -f -j DROP
### 8: Limit connections per source IP ###
sudo iptables -A INPUT -p tcp -m connlimit --connlimit-above 111 -j REJECT --reject-with tcp-reset
### 9: Limit RST packets ###
sudo iptables -A INPUT -p tcp --tcp-flags RST RST -m limit --limit 2/s --limit-burst 2 -j ACCEPT
sudo iptables -A INPUT -p tcp --tcp-flags RST RST -j DROP
### 10: Limit new TCP connections per second per source IP ###
sudo iptables -A INPUT -p tcp -m conntrack --ctstate NEW -m limit --limit 60/s --limit-burst 20 -j ACCEPT
sudo iptables -A INPUT -p tcp -m conntrack --ctstate NEW -j DROP
### 11: Use SYNPROXY on port 2222 (SSH) (disables connection limiting rule) ###
#sudo iptables -t raw -A PREROUTING -p tcp --dport 2222 -m tcp --syn -j CT --notrack
#sudo iptables -A INPUT -p tcp --dport 2222 -m tcp -m conntrack --ctstate INVALID,UNTRACKED -j SYNPROXY --sack-perm --timestamp --wscale 7 --mss 1460
sudo iptables -A INPUT -p tcp --dport 2222 -m conntrack --ctstate INVALID -j DROP
### SSH brute-force protection ###
sudo iptables -A INPUT -p tcp --dport 2222 -m conntrack --ctstate NEW -m recent --set
sudo iptables -A INPUT -p tcp --dport 2222 -m conntrack --ctstate NEW -m recent --update --seconds 60 --hitcount 10 -j DROP
### Protection against port scanning ###
sudo iptables -N port-scanning
sudo iptables -A port-scanning -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s --limit-burst 2 -j RETURN
sudo iptables -A port-scanning -j DROP
echo "Allowing traffic from SSH port 2222 and Internet traffic
# Allowing SSH connection from LAN
sudo iptables -A INPUT -i lo -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 2222 -j ACCEPT
# Allowing Internet traffic
sudo iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
### Make the iptables rules persistent after reboot
sudo bash -c "iptables-save > /etc/iptables/rules.v4"
I identified these lines to have an impact on SSH connection from my LAN:
### 1: Drop invalid packets ###
#sudo iptables -t mangle -A PREROUTING -m conntrack --ctstate INVALID -j DROP
I cannot connect to SSH when I uncomment these, and I don't understand why.
I figured out that my #1 rule was simply invalid #11 rule. I either had to use one or the other.

iptables: Access to nat via mac address

I have a server with two interfaces, LAN and WAN.
How to allow access to NAT from local addresses only through the MAC address via iptables?
I tried so but it did not work out:
iptables -P FORWARD -i eth0 -o eth1 -m mac --mac-source 48:43:7c:25:60:3a -j ACCEPT
iptables -P FORWARD -i eth0 -o eth1 -s 192.168.0.0/16 -j DROP
iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
Why are you using "-P" ? It is suppossed that "-P" is to set the general policy of a chain:
iptables -P FORWARD ACCEPT
For custom rules you should -A (append) or -I (insert).
What you want could something like:
iptables -P FORWARD ACCEPT
iptables -A FORWARD -i eth0 -o eth1 -m mac --mac-source 48:43:7c:25:60:3a -j ACCEPT
iptables -A FORWARD -i eth0 -o eth1 -j DROP
iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
Of course you need to have forwarding activated: echo "1" > /proc/sys/net/ipv4/ip_forward

libvirt iptables rules disrupt port forwarding to my KVM VM's

When I clear IPtables and then add the following rules, incoming connections can connect to my KVM VM on port 1234 without any problems.
-A PREROUTING -i br0 -p tcp -m tcp --dport 1234 -j DNAT --to-destination 192.168.122.194:1234
-A FORWARD -d 192.168.122.194/32 -p tcp -m state --state NEW,RELATED,ESTABLISHED -m tcp --dport 1234 -j ACCEPT
-A FORWARD -s 192.168.122.194/32 -p tcp -m tcp --sport 1234 -j ACCEPT
-A FORWARD -d 192.168.122.194/32 -p tcp -m tcp --dport 1234 -j ACCEPT
But I also want NAT to work inside my KVM VM's. By default libvirt sets up some rules that provide my VM's with NAT. However when I try sending SIGHUP to libvirt (that's how you ask it to add it's rules to iptables), it adds the following rules to iptables that breaks my port forwarding that I have specified above.
-A FORWARD -d 192.168.122.0/24 -o virbr0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -s 192.168.122.0/24 -i virbr0 -j ACCEPT
-A FORWARD -i virbr0 -o virbr0 -j ACCEPT
-A FORWARD -o virbr0 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -i virbr0 -j REJECT --reject-with icmp-port-unreachable
-A OUTPUT -o virbr0 -p udp -m udp --dport 68 -j ACCEPT
-A POSTROUTING -s 192.168.122.0/24 -d 224.0.0.0/24 -j RETURN
-A POSTROUTING -s 192.168.122.0/24 -d 255.255.255.255/32 -j RETURN
-A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p tcp -j MASQUERADE --to-ports 1024-65535
-A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p udp -j MASQUERADE --to-ports 1024-65535
-A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -j MASQUERADE
I've tried running these commands manually. I can run all of the FORWARD and OUTPUT commands and they do not break my port forwarding. However I can't run any of the POSTROUTING commands manually. I get an error saying: "No chain/target/match by that name."
*These libvirt iptables rules in the last grey section above were obtained by running iptables-save and confirming port forwarding was working, then sending SIGHUP to libvirt, confirming port forwarding was broken, then running iptables-save again and running a diff on the two outputs to find which new iptables rules were added by libvirt.
I just enabled NAT with my own rules. I didn't bother with any of the default libvirt rules.
Adding NAT is as simple as 3 iptables commands.
(where br0 is your internet facing adapter (it could be ppp0 or whatever))
iptables -t nat -A POSTROUTING -o br0 -j MASQUERADE
iptables -A FORWARD -i br0 -o virbr0 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i virbr0 -o br0 -j ACCEPT

How to do local port forwarding with iptables

I have an application (server) listening on port 8080. I want to be able to forward port 80 to it, such that hitting http://localhost resolves my application (on localhost:8080).
This should be generalized for any port mapping (e.g. 80:8080 => P_src:P_target), and use best practices for modern *nix machines (e.g. Ubuntu).
N.B. This is all done locally, so there is no need to accept connections from anyone but localhost.
So after much searching around, I found the answer uses iptables, setting up a NAT, and using the built-ins PREROUTING and OUTPUT.
First, you must have port forwarding enabled:
echo "1" > /proc/sys/net/ipv4/ip_forward
Then you have to add the following rules to your iptables NAT table, using your own values for ${P_src} and ${P_target}:
iptables -t nat -A PREROUTING -s 127.0.0.1 -p tcp --dport ${P_src} -j REDIRECT --to ${P_target}`
iptables -t nat -A OUTPUT -s 127.0.0.1 -p tcp --dport ${P_src} -j REDIRECT --to ${P_target}`
If you want to remove the rules, you simply need to use the -D switch instead of -A for each rule.
I build a nice little script for this that does adding and removing of mappings.
#!/bin/bash
#
# API: ./forwardPorts.sh add|rm p1:p1' p2:p2' ...
#
# Results in the appending (-A) or deleting (-D) of iptable rule pairs that
# would otherwise facilitate port forwarding.
#
# E.g
# sudo iptables -t nat -A PREROUTING -s 127.0.0.1 -p tcp --dport 80 -j REDIRECT --to 8080
# sudo iptables -t nat -A OUTPUT -s 127.0.0.1 -p tcp --dport 80 -j REDIRECT --to 8080
#
if [[ $# -lt 2 ]]; then
echo "forwardPorts takes a state (i.e. add or rm) and any number port mappings (e.g. 80:8080)";
exit 1;
fi
case $1 in
add )
append_or_delete=A;;
rm )
append_or_delete=D;;
* )
echo "forwardPorts requires a state (i.e. add or rm) as it's first argument";
exit 1; ;;
esac
shift 1;
# Do a quick check to make sure all mappings are integers
# Many thanks to S.O. for clever string splitting:
# http://stackoverflow.com/questions/918886/how-do-i-split-a-string-on-a-delimiter-in-bash
for map in "$#"
do
IFS=: read -a from_to_array <<< "$map"
if [[ ! ${from_to_array[0]} =~ ^-?[0-9]+$ ]] || [[ ! ${from_to_array[1]} =~ ^-?[0-9]+$ ]]; then
echo "forwardPorts port maps must go from an integer, to an integer (e.g. 443:4443)";
exit 1;
fi
mappings[${#mappings[#]}]=${map}
done
# We're shooting for transactional consistency. Only manipulate iptables if all
# the rules have a chance to succeed.
for map in "${mappings[#]}"
do
IFS=: read -a from_to_array <<< "$map"
from=${from_to_array[0]}
to=${from_to_array[1]}
sudo iptables -t nat -$append_or_delete PREROUTING -s 127.0.0.1 -p tcp --dport $from -j REDIRECT --to $to
sudo iptables -t nat -$append_or_delete OUTPUT -s 127.0.0.1 -p tcp --dport $from -j REDIRECT --to $to
done
exit 0;