Forward traffic to separate SSL proxy server

Started by numbfx, October 12, 2020, 03:51:21 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
October 12, 2020, 03:51:21 PM Last Edit: October 12, 2020, 06:26:34 PM by numbfx
Hello,

I am having trouble figuring out how to set this up correctly. I have a separate IDS box on my network that I want to add a transparent SSL proxy to for analysis of SSL traffic. The app is called PolarProxy and they have a tutorial here https://www.netresec.com/index.ashx?page=Blog&month=2020-01&post=Sniffing-Decrypted-TLS-Traffic-with-Security-Onion for how to set up the gateway using iptables:

Code Select
Add a forward rule on the gateway to allow forwarding traffic to our PolarProxy server:
    sudo iptables -A FORWARD -i eth1 -d [SecurityOnionIP] -p tcp --dport 10443 -m state --state NEW -j ACCEPT

Add a DNAT rule to forward 443 traffic to PolarProxy on port 10443:
    sudo iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 443 -j DNAT --to [SecurityOnionIP]:10443

If the reverse traffic from PolarProxy to the client doesn't pass the firewall (i.e. they are on the same LAN), then we must add this hide-nat rule to fool PolarProxy that we are coming from the firewall:
    sudo iptables -t nat -A POSTROUTING -o eth1 -d [SecurityOnionIP] -p tcp --dport 10443 -j MASQUERADE

I understand adding the DNAT rule in NAT > Port Forward
But what about the reverse traffic, is that Outbound NAT? What would the configuration be for that?

Right now I am adding a forwarding rule in NAT > Port Forwarding to the network like so:
LAN side
Source any, port any
Destination any, port 443
Redirect [SecurityOnionIP] port 10443

and it is not working. Am I missing something? Any help would be appreciated. Thank you.
October 19, 2020, 08:11:46 AM #1
Hello  numbfx,
Is your box on the same subnet or another Virtual LAN.
your current port forward will make a loop since the traffic that your box sends to the internet over 443 (HTTPS) will be sent back to it, so you need to forward all lan traffic except fot the box's, you can easily achieve this with source / Invert.
it should be something like this:
Interface: Lan
Source / Invert : check this
Source : single host : your box ip or hostname
..etc
it should be displayed like this in the source address column: ![box_ip], this will redirect all traffic except the box's.

Another suggestion: you should redirect http(80) traffic to proxy too, unless ofc you don't want to.

Disclaimer: All advice presented is "AS IS", no warranties.
I'm not part of the opnsense team, just trying to help.
Print
Go Up Pages1
User actions