iptables enables access to my personal website when I'm inside my LAN but blocks access when I'm outside

0

I am using a transparent proxy to forward requests from a source (client) to a destination (server). I use iptables to make the transparent bit work... i.e: it makes the clients ip appear at the destination even though the request went through the intermediate proxy... it's called SSLH actually.. https://github.com/yrutschle/sslh

Here are the rules:

iptables -w -t mangle -N SSLH
iptables -w -t mangle -A PREROUTING -p tcp -m socket --transparent -j SSLH
iptables -w -t mangle -A OUTPUT --protocol tcp --out-interface eth0 -m multiport --sport 80,443,4480 --jump SSLH
iptables -w -t mangle -A SSLH --jump MARK --set-mark 0x1
iptables -w -t mangle -A SSLH --jump ACCEPT
ip rule add fwmark 0x1 lookup 100
ip route add local 0.0.0.0/0 dev lo table 100

I am running a website on apache on the same machine as the proxy, it's a Pi that's inside my home LAN.

When I try to access a website on that apache and the request originates from outside the lan... like if I connect to a wifi hotspot on my phone the page appears in the browser HOWEVER if I connect to my LAN wifi network and try to open the same page I get a timeout... UNLESS I disable those iptables rules... but when I do this requests that originate from outside the LAN timeout.

To possibly complicate things a bit I also use dnsmasq running on the same Pi to simulate NAT Loopback so I can access the website from within my own LAN using it's domain name and not just the local ip address.

If I just use the local ip address of the webserver it still won't work anyway.. unless I

Do I need to modify the iptables rules so that a web request like this:

https://www.example.com/test.html

Will bring up the page whether I'm outside or inside my LAN?

Thank you,

Flex

FlexMcMurphy

Posted 2019-07-18T21:28:26.333

Reputation: 101

Why are you marking source ports rather then destination ones in line 3? Also,I font see how you are intercepting and redirecting requests - It would seem to me that your last line is redirecting traffic out the LI interface, but not rewriting the target so I dont see how it cab work (but im on holiday, and may be missing the obvious) – davidgo – 2019-07-19T05:37:59.680

That's an output chain so it applies to packets that are leaving processes on the host.. like a web server... hence source port. In this set up I don't need to rewrite packets.. I mark them and route the marked ones to localhost so they get routed back to where they came from. I don't fully understand it myself but it does work as a transparent proxy. I don't need help with that I need help understanding why I get a timeout when those rules are in place and the request originates from within my LAN but it works fine when the request originates from outside on the internet. Cheers. – FlexMcMurphy – 2019-07-20T12:31:28.923

Answers

0

I have a solution that works.

My question was...

Do I need to modify the iptables rules so that a web request like this:
https://www.example.com/test.html
Will bring up the page whether I'm outside or inside my LAN?

My iptables rules seem to be blocking connection requests that originate from inside my LAN. I still don’t know why this is exactly except it must be the iptables rules doing that because requests that originate outside the LAN work fine with the rules in place and requests that originate from outside or inside work when the rules are off completely.

I had the idea to add rules to ACCEPT incoming and outgoing traffic from all ips on my local LAN. The dhcp server on my router assigns ips to devices on my LAN in the range 192.168.1.1 to 192.168.1.200

By specifying 192.168.1.0/24 I can refer to ALL ips in that range.

So these are the rules I use now:

iptables -t mangle -N SSLH
iptables -t mangle -A INPUT -p tcp -s 192.168.1.0/24 -j ACCEPT
iptables -t mangle -A OUTPUT -p tcp -d 192.168.1.0/24 -j ACCEPT
iptables -t mangle -A PREROUTING -p tcp -m socket --transparent -j SSLH
iptables -t mangle -A OUTPUT -p tcp --out-interface eth0 -m multiport --sport 80,443,4480 -j SSLH
iptables -t mangle -A SSLH -j MARK --set-mark 0x1
iptables -t mangle -A SSLH -j ACCEPT
ip rule add fwmark 0x1 lookup 100
ip route add local 0.0.0.0/0 dev lo table 100

And I’m pleased to say that a url like https://www.example.com/ that points to a web page on my personal apache server on a Pi on my LAN now opens the web page if I’m requesting the page from inside or outside my LAN.

To figure out why my original rules were blocking requests that originated from within my LAN I tried changing: 

iptables -t mangle -A PREROUTING -p tcp -m socket --transparent -j SSLH

To: 

iptables -t mangle -A PREROUTING -p tcp -j SSLH

Because the transparent socket match ignores non-transparent sockets which a request that does not go through sslh would be. But traffic from local ip addresses was still blocked.

This rule is the likely culprit... it sends all outgoing packets from my web server (port 443) to the user defined chain SSLH. All the packets in this chain are marked and, with help from the rules after this, are routed to the loopback interface for processing by the sslh proxy.

iptables -t mangle -A OUTPUT -p tcp --out-interface eth0 -m multiport --sport 80,443,4480 -j SSLH

But when those packets were "incoming" and didn't go through the sslh proxy to get to their destination in the first place then when they are "out-going" and get routed to the loopback interface to be processed by sslh I guess it doesn't know what to do with them and they are just lost.. in this case those packets were needed to make a web page appear on the clients browser so hence the website times out.

Cheers,

Flex

FlexMcMurphy

Posted 2019-07-18T21:28:26.333

Reputation: 101

Asked: 2019-07-18T21:28:26.333

Viewed: 94 times

Active: 2019-07-21T00:11:18.110