Iptables SSL redirect

Hi,

here is my network setup:

ADSL Router @ 192.168.1.1
Windows 2000 PC @ 192.168.1.2
Linux box @ 192.168.1.4

I'm running a transparent http proxy on the linux box which forwards
all requests to the router.

I set the gateway of the windows 2000 pc to be my linux box and used
the following iptable rule on the linux box to redirect HTTP request
to the proxy:

iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT
--to-port 8000

Now I would like to redirect SSL connections to the Router. However, I
do not know how this can be done. The following did not work:

iptables -t nat -A PREROUTING -i eth0 -p tcp --dport https -j DNAT
--destination 192.168.1.1

Do you know how the iptable rule would have to look like????

Fritz Bayer wrote:
> Hi,
>
> here is my network setup:
>
> ADSL Router @ 192.168.1.1
> Windows 2000 PC @ 192.168.1.2
> Linux box @ 192.168.1.4
>
> I'm running a transparent http proxy on the linux box which forwards
> all requests to the router.
>
> I set the gateway of the windows 2000 pc to be my linux box and used
> the following iptable rule on the linux box to redirect HTTP request
> to the proxy:
>
> iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT
> --to-port 8000
>
> Now I would like to redirect SSL connections to the Router. However, I
> do not know how this can be done. The following did not work:
>
> iptables -t nat -A PREROUTING -i eth0 -p tcp --dport https -j DNAT
> --destination 192.168.1.1
>
> Do you know how the iptable rule would have to look like????

Unless your router is also a web server, I doubt you want to forward
them _to_ the router. You just want to forward them _through_ the router.

You need (1) to enable forwarding on the Linux box and (2) to allow
forwarding of https in the FORWARD chain (if your default policy for
FORWARD is not ACCEPT).

echo 1 > /proc/sys/net/ipv4/ip_forward
or
sysctl net.ipv4.ip_forward = 1
or
net.ipv4.ip_forward = 1
in /etc/sysctl.conf

then, if necessary,
iptables -t filter -A FORWARD -p tcp -m tcp --dport 443 -j ACCEPT

I assume your Linux box's default gateway is already your router,
otherwise http proxying wouldn't work either yet, and you didn't say it
didn't.

On 15 Jul 2004 05:35:27 -0700
fritz-(E-Mail Removed) (Fritz Bayer) wrote:

> Hi,
>
> here is my network setup:
>
> ADSL Router @ 192.168.1.1
> Windows 2000 PC @ 192.168.1.2
> Linux box @ 192.168.1.4
>
> I'm running a transparent http proxy on the linux box which forwards
> all requests to the router.
>
> I set the gateway of the windows 2000 pc to be my linux box and used
> the following iptable rule on the linux box to redirect HTTP request
> to the proxy:
>
> iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT
> --to-port 8000
>
> Now I would like to redirect SSL connections to the Router. However, I
> do not know how this can be done. The following did not work:
>
> iptables -t nat -A PREROUTING -i eth0 -p tcp --dport https -j DNAT
> --destination 192.168.1.1
>
> Do you know how the iptable rule would have to look like????

Don't you just want to define a HTTP-proxy on the WinBox and leave the routing alone?
Else you better define such rules on the Firewall.

Greets
Chris

Allen Kistler <(E-Mail Removed)> wrote in message news:<KqyJc.37029$(E-Mail Removed) igy.com>...
> Fritz Bayer wrote:
> > Hi,
> >
> > here is my network setup:
> >
> > ADSL Router @ 192.168.1.1
> > Windows 2000 PC @ 192.168.1.2
> > Linux box @ 192.168.1.4
> >
> > I'm running a transparent http proxy on the linux box which forwards
> > all requests to the router.
> >
> > I set the gateway of the windows 2000 pc to be my linux box and used
> > the following iptable rule on the linux box to redirect HTTP request
> > to the proxy:
> >
> > iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT
> > --to-port 8000
> >
> > Now I would like to redirect SSL connections to the Router. However, I
> > do not know how this can be done. The following did not work:
> >
> > iptables -t nat -A PREROUTING -i eth0 -p tcp --dport https -j DNAT
> > --destination 192.168.1.1
> >
> > Do you know how the iptable rule would have to look like????
>
> Unless your router is also a web server, I doubt you want to forward
> them _to_ the router. You just want to forward them _through_ the router.
>

Yes you are right. I know that my rule forwards it to the router as if
a https proxy would run on it. And you are right, that's not the case
- I just want to forward them to the open internet.

> You need (1) to enable forwarding on the Linux box and (2) to allow
> forwarding of https in the FORWARD chain (if your default policy for
> FORWARD is not ACCEPT).
>
> echo 1 > /proc/sys/net/ipv4/ip_forward

Ok I did this.

> or
> sysctl net.ipv4.ip_forward = 1
> or
> net.ipv4.ip_forward = 1
> in /etc/sysctl.conf
>
> then, if necessary,
> iptables -t filter -A FORWARD -p tcp -m tcp --dport 443 -j ACCEPT
>

Ok inserted it.

> I assume your Linux box's default gateway is already your router,
> otherwise http proxying wouldn't work either yet, and you didn't say it
> didn't.

That's right.

And yes! Thank you!!! It's working. Great! Could you just explain this
to me? I mean the rule above.

Ok I get that it target's tcp and port 443. But why didn't we put it
into the POSTROUTING chain in the nat table?

And should we have changed the destination ip? I mean not to the
router but somehow masquerade it? How does the packet know that it has
to go to the router? The defaul policy was already to ACCEPT.

And what's the "-m" option - can I leave it out?

Thanks so much...

>> echo 1 > /proc/sys/net/ipv4/ip_forward

enables routing

>> iptables -t filter -A FORWARD -p tcp -m tcp --dport 443 -j ACCEPT

enables connections to port 443 comming from outside your network. (Which
shell be routed)

-m stands for match -p specifies the protocol used. --dport stands for
destination port


--> man iptables

Robert

Allen Kistler <(E-Mail Removed)> wrote in message news:<KqyJc.37029$(E-Mail Removed) igy.com>...
> Fritz Bayer wrote:
> > Hi,
> >
> > here is my network setup:
> >
> > ADSL Router @ 192.168.1.1
> > Windows 2000 PC @ 192.168.1.2
> > Linux box @ 192.168.1.4
> >
> > I'm running a transparent http proxy on the linux box which forwards
> > all requests to the router.
> >
> > I set the gateway of the windows 2000 pc to be my linux box and used
> > the following iptable rule on the linux box to redirect HTTP request
> > to the proxy:
> >
> > iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT
> > --to-port 8000
> >
> > Now I would like to redirect SSL connections to the Router. However, I
> > do not know how this can be done. The following did not work:
> >
> > iptables -t nat -A PREROUTING -i eth0 -p tcp --dport https -j DNAT
> > --destination 192.168.1.1
> >
> > Do you know how the iptable rule would have to look like????
>
> Unless your router is also a web server, I doubt you want to forward
> them _to_ the router. You just want to forward them _through_ the router.
>
> You need (1) to enable forwarding on the Linux box and (2) to allow
> forwarding of https in the FORWARD chain (if your default policy for
> FORWARD is not ACCEPT).
>
> echo 1 > /proc/sys/net/ipv4/ip_forward
> or
> sysctl net.ipv4.ip_forward = 1
> or
> net.ipv4.ip_forward = 1
> in /etc/sysctl.conf
>
> then, if necessary,
> iptables -t filter -A FORWARD -p tcp -m tcp --dport 443 -j ACCEPT
>
> I assume your Linux box's default gateway is already your router,
> otherwise http proxying wouldn't work either yet, and you didn't say it
> didn't.


Ok, now I understand. The FORWARD chain is for packages whose
destination is not the local pc but some other destination. They just
travel through.

My default policy however is to accept packets. So would that not
mean, that any packages, which travel through my pc should be sent to
the default gateway? Why do I have to insert the rule then?

Fritz Bayer wrote:
> Allen Kistler <(E-Mail Removed)> wrote in message news:<KqyJc.37029$(E-Mail Removed) igy.com>...
>
>>Fritz Bayer wrote:
>>
>>>Hi,
>>>
>>>here is my network setup:
>>>
>>>ADSL Router @ 192.168.1.1
>>>Windows 2000 PC @ 192.168.1.2
>>>Linux box @ 192.168.1.4
>
> [snip]
>
>>then, if necessary,
>>iptables -t filter -A FORWARD -p tcp -m tcp --dport 443 -j ACCEPT
>
> [snip]
>
> Ok I get that it target's tcp and port 443. But why didn't we put it
> into the POSTROUTING chain in the nat table?
>
> And should we have changed the destination ip? I mean not to the
> router but somehow masquerade it? How does the packet know that it has
> to go to the router? The defaul policy was already to ACCEPT.

If your Windows box and router were on different subnets on either side
of the Linux box with the Linux box on both subnets (got it?), then you
would need a SNAT rule in the POSTROUTING chain. But everything is on
the same subnet, so you don't need a NAT rule.

> And what's the "-m" option - can I leave it out?

Many people do, since netfilter is usually smart enough to figure out it
has to load the tcp matching module, but it's better/nicer/whatever to
leave it there explicitly. Opinions vary.

As I said in my previous post, you may not even need a rule at all in
the FORWARD chain. It depends on whatever other rules/policies you've
got defined for FORWARD.