How do I use IPTABLES to create a HTTPS (443) passthrough around Squid?

Question

I've got Ubuntu and Squid running on a machine acting as a transparent proxy and a default gateway for many pc's on my network, which means all internet bound activity comes through the interface to be filtered before leaving for the router (192.168.1.1). HTTPS/SSL (443) does not work because packets on port 443 will come in and hit a wall as I have no rules specified for it.

How do I use iptables to create a passthrough for 443 connections?

----------------- EDIT -----------------------

Managed to get https working after setting the proxy settings for SSL to point to the squid box. However, if I were making a linux router (which I sort of am), would it mean SSL would never work unless I have a proxy running? The IP address for the linux box is 192.168.1.235 and i've set a test computer running winXP to that as its default gateway. Surely there's a way to allow 443 SSL to "pass through" without even touching on the proxy?

I'm also a tad confused as to why https is working at all...I haven't got any sort of routes or anything in the iptables that deal with 443. Any light shed on this would be greatly appreciated!

score 4 · Answer 1 · answered Oct 26 '09 at 13:33

You can not transparently proxy HTTPS. When you transparent proxy, clients think they are talking to the remote server. With HTTPS, they will attempt to create an SSL connection, which will authenticate the remote host by comparing the remote certificate to the hostname. This won't work because your squid will not have the right certificate.

You can, however, proxy HTTPS connections, because clients that know how to proxy HTTPS will open a connection to your proxy and issue a CONNECT request, which basically tunnels the connection via the proxy.

The best thing for you to do is to block direct access to port 443 and tell your users that if they want to use HTTPS, they must configure their browser to use the proxy.

How do you "block direct access to port 443"? And how do you unblock it then if the user configures their browser to use the proxy? — Big McLargeHuge, May 22 '13 at 19:50

Sam Halicke · Answer 2 · 2009-10-26T07:44:50.123

0

This assumes a bit about your configuration, but this should be close to what you need. Assuming the LAN side is eth1:

iptables -I INPUT -i eth1 -p tcp --dport 443 -j ACCEPT

This will jump all packets coming in from the LAN side with a destination port of 443 to the ACCEPT target and then out to the router, again I'm assuming you already have that set up.

Hope that helps.

EDIT: per your comment about having only one interface:

You will need a source-address based rule, then -- modify the addresses as needed:

iptables -I INPUT -p tcp -s 192.168.1.0/24 --dport 443 -j ACCEPT

edited Oct 26 '09 at 07:44

answered Oct 26 '09 at 07:05

Sam Halicke

6,122
1
24
35

nope! I only have eth0 set up as the box only has a single ethernet connection how do i set up the accept chain? – atomicharri Oct 26 '09 at 07:25
See David's comment below. I completely forgot about what he mentions. – Sam Halicke Oct 26 '09 at 17:48

How do I use IPTABLES to create a HTTPS (443) passthrough around Squid?

2 Answers2

Linked