2019-09-10 - HTTPS Traffic Log IPTABLE Issue

Header Data

From: SK NZ <sa***m@gmail.com>
Message Hash: f4c73e9418f39daf95c8cd4949aa700ec5c222981bfcb13b2dcaba2005a926d5
Message ID: <f6deda79-b57c-4243-aa26-be9952b2eba6@grasehotspot.org>
Reply To: N/A
UTC Datetime: 2019-09-10 04:24:34 UTC
Raw Date: Tue, 10 Sep 2019 04:24:34 -0700

Raw message 

Hello,
I've managed to compile squid3 with SSL support in a standalone(squid3 
only) server, now I can monitor HTTPS traffic log without issuing any 
certificate. I got this idea originally from 
here: http://blog.manty.net/2014/12/squid-proxy-being-transparent-also-for.html

*To implement this in a Grase Hotspot Server*, I reinstalled squid3 
packages with SSL support, also kept all original Grase configurations. Now 
I modified *squid.conf.grase* to enable HTTPS. So far it worked perfectly, 
squid restarted without any error.

http_port 3128
> http_port 3129 intercept
> https_port 3127 intercept ssl-bump generate-host-certificates=off 
> cert=/etc/squid3/certs/squid.pem
> acl ssl-bump_port myportname 3127
> always_direct allow ssl-bump_port


For this new squid ports, default IPTABLE rules will not work. So I tried 
to modify* /etc/chilli/ipub.sh*

ipt -I PREROUTING -t mangle -p tcp -s $NET/$MASK -d $ADDR --dport 3129 -j 
> DROP
> ipt -I PREROUTING -t nat -i $TUNTAP -p tcp -s $NET/$MASK ! -d $ADDR 
> --dport 80 -j REDIRECT --to 3129
> ipt -I PREROUTING -t mangle -p tcp -s $NET/$MASK -d $ADDR --dport 3127 -j 
> DROP
> ipt -I PREROUTING -t nat -i $TUNTAP -p tcp -s $NET/$MASK ! -d $ADDR 
> --dport 443 -j REDIRECT --to 3127
> ipt -I POSTROUTING -t nat -o $HS_WANIF -j MASQUERADE


Now I can't browse after connecting hotspot. *IPTABLE* *is blocking* it 
somewhere!. If anyone can help to figure it out, that will be really a 
great-great help.


In my standalone server, I've used this IPTABLE rules and it works like a 
charm!

*nat
> :PREROUTING ACCEPT
> :POSTROUTING ACCEPT
> :OUTPUT ACCEPT
> -A PREROUTING -i eth0 -s 192.168.0.0/16 ! -d 192.168.0.0/16 -p tcp --dport 
> 443 -j REDIRECT --to-ports 3127
> -A PREROUTING -i eth0 -s 192.168.0.0/16 ! -d 192.168.0.0/16 -p tcp --dport 
> 80 -j REDIRECT --to-ports 3129
> COMMIT
> *filter
> :INPUT DROP
> :FORWARD DROP
> :OUTPUT ACCEPT
> -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
> -A INPUT -i lo -j ACCEPT
> -A OUTPUT -o lo -j ACCEPT
> -A INPUT -i eth0 -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j 
> ACCEPT 
> -A INPUT -i eth0 -p tcp --dport http -j ACCEPT
> -A INPUT -i eth0 -p tcp --dport 3127:3128 -j ACCEPT
> -A INPUT -i eth0 -p udp --dport bootps -j ACCEPT
> -A INPUT -i eth0 -p udp --dport domain -j ACCEPT
> -A INPUT -i eth0 -p tcp --dport domain -j ACCEPT
> COMMIT



*Thanks in advance.*

Thread