OPNsense
  • Home
  • Help
  • Search
  • Login
  • Register

  • OPNsense Forum »
  • English Forums »
  • Web Proxy Filtering and Caching (Moderator: fabian) »
  • Forward traffic to separate SSL proxy server
« previous next »
  • Print
Pages: [1]

Author Topic: Forward traffic to separate SSL proxy server  (Read 2552 times)

numbfx

  • Newbie
  • *
  • Posts: 1
  • Karma: 0
    • View Profile
Forward traffic to separate SSL proxy server
« on: October 12, 2020, 03:51:21 pm »
Hello,

I am having trouble figuring out how to set this up correctly. I have a separate IDS box on my network that I want to add a transparent SSL proxy to for analysis of SSL traffic. The app is called PolarProxy and they have a tutorial here https://www.netresec.com/index.ashx?page=Blog&month=2020-01&post=Sniffing-Decrypted-TLS-Traffic-with-Security-Onion for how to set up the gateway using iptables:

Code: [Select]
Add a forward rule on the gateway to allow forwarding traffic to our PolarProxy server:
    sudo iptables -A FORWARD -i eth1 -d [SecurityOnionIP] -p tcp --dport 10443 -m state --state NEW -j ACCEPT
 
Add a DNAT rule to forward 443 traffic to PolarProxy on port 10443:
    sudo iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 443 -j DNAT --to [SecurityOnionIP]:10443

If the reverse traffic from PolarProxy to the client doesn't pass the firewall (i.e. they are on the same LAN), then we must add this hide-nat rule to fool PolarProxy that we are coming from the firewall:
    sudo iptables -t nat -A POSTROUTING -o eth1 -d [SecurityOnionIP] -p tcp --dport 10443 -j MASQUERADE
I understand adding the DNAT rule in NAT > Port Forward
But what about the reverse traffic, is that Outbound NAT? What would the configuration be for that?

Right now I am adding a forwarding rule in NAT > Port Forwarding to the network like so:
LAN side
Source any, port any
Destination any, port 443
Redirect [SecurityOnionIP] port 10443

and it is not working. Am I missing something? Any help would be appreciated. Thank you.
« Last Edit: October 12, 2020, 06:26:34 pm by numbfx »
Logged

Amr

  • Jr. Member
  • **
  • Posts: 78
  • Karma: 4
    • View Profile
Re: Forward traffic to separate SSL proxy server
« Reply #1 on: October 19, 2020, 08:11:46 am »
Hello  numbfx,
Is your box on the same subnet or another Virtual LAN.
your current port forward will make a loop since the traffic that your box sends to the internet over 443 (HTTPS) will be sent back to it, so you need to forward all lan traffic except fot the box's, you can easily achieve this with source / Invert.
it should be something like this:
Interface: Lan
Source / Invert : check this
Source : single host : your box ip or hostname
..etc
it should be displayed like this in the source address column: ![box_ip], this will redirect all traffic except the box's.

Another suggestion: you should redirect http(80) traffic to proxy too, unless ofc you don't want to.

Logged
Disclaimer: All advice presented is "AS IS", no warranties.
I'm not part of the opnsense team, just trying to help.
  • Print
Pages: [1]
« previous next »
  • OPNsense Forum »
  • English Forums »
  • Web Proxy Filtering and Caching (Moderator: fabian) »
  • Forward traffic to separate SSL proxy server
 

OPNsense is an OSS project © Deciso B.V. 2015 - 2024 All rights reserved
  • SMF 2.0.19 | SMF © 2021, Simple Machines
    Privacy Policy     | XHTML | RSS | WAP2