* Is it possible to get a transparent proxy with Redsocks when using the new nftables?
@ 2020-03-03 14:27 Verachten Bruno
2020-03-03 15:57 ` Florian Westphal
0 siblings, 1 reply; 5+ messages in thread
From: Verachten Bruno @ 2020-03-03 14:27 UTC (permalink / raw)
To: netfilter
Hi List,
I hope I'm on the right list to ask that question. I'm not an expert
by any means on network, so please bear with me.
I've been using Redsocks for a few months now on a Ubuntu "18.04.3 LTS
(Bionic Beaver)" machine. This machine has iptables, and not nftables.
So I have a few rules to redirect 80,443,9048,1935 and so on.
sudo iptables -t nat -A REDSOCKS -p tcp -j REDIRECT --to-ports 12345
sudo iptables -t nat -A OUTPUT -p tcp --dport 443 -j REDSOCKS
sudo iptables -t nat -A OUTPUT -p tcp --dport 1935 -j REDSOCKS
sudo iptables -t nat -A OUTPUT -p tcp --dport 80 -j REDSOCKS
sudo iptables -t nat -A OUTPUT -p tcp --dport 21 -j REDSOCKS
sudo iptables -t nat -A OUTPUT -p tcp --dport 11371 -j REDSOCKS
sudo iptables -t nat -A OUTPUT -p tcp --dport 9418 -j REDSOCKS
sudo iptables -t nat -A OUTPUT -p tcp --dport 6380 -j REDSOCKS
sudo iptables -t nat -A PREROUTING -p tcp --dport 443 -j REDSOCKS
sudo iptables -t nat -A PREROUTING -p tcp --dport 1935 -j REDSOCKS
sudo iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDSOCKS
sudo iptables -t nat -A PREROUTING -p tcp --dport 21 -j REDSOCKS
sudo iptables -t nat -A PREROUTING -p tcp --dport 11371 -j REDSOCKS
sudo iptables -t nat -A PREROUTING -p tcp --dport 9418 -j REDSOCKS
sudo iptables -t nat -A PREROUTING -p tcp --dport 9418 -j REDSOCKS
sudo iptables -t nat -A PREROUTING -p tcp --dport 6380 -j REDSOCKS
I exported those rules to another machine running "Debian GNU/Linux 10
(buster)", which has nftables. I converted the existing rules thanks
to
iptables-save > save.txt
iptables-restore-translate -f save.txt > ruleset.nft
nft -f ruleset.nft
Nothing seems to work, as a git command or anything else is just
falling in timeout.
Here is the configuration I get once the rules have been imported:
table ip filter {
chain INPUT {
type filter hook input priority 0; policy accept;
}
chain FORWARD {
type filter hook forward priority 0; policy accept;
}
chain OUTPUT {
type filter hook output priority 0; policy accept;
}
}
table ip nat {
chain PREROUTING {
type nat hook prerouting priority -100; policy accept;
meta l4proto tcp tcp dport 443 counter packets 0 bytes
0 jump REDSOCKS
meta l4proto tcp tcp dport 1935 counter packets 0
bytes 0 jump REDSOCKS
meta l4proto tcp tcp dport 80 counter packets 0 bytes
0 jump REDSOCKS
meta l4proto tcp tcp dport 21 counter packets 0 bytes
0 jump REDSOCKS
meta l4proto tcp tcp dport 9418 counter packets 0
bytes 0 jump REDSOCKS
tcp dport https counter packets 0 bytes 0 jump REDSOCKS
tcp dport 1935 counter packets 0 bytes 0 jump REDSOCKS
tcp dport http counter packets 0 bytes 0 jump REDSOCKS
tcp dport ftp counter packets 0 bytes 0 jump REDSOCKS
tcp dport git counter packets 0 bytes 0 jump REDSOCKS
}
chain INPUT {
type nat hook input priority 100; policy accept;
}
chain POSTROUTING {
type nat hook postrouting priority 100; policy accept;
}
chain OUTPUT {
type nat hook output priority -100; policy accept;
meta l4proto tcp tcp dport 443 counter packets 0 bytes
0 jump REDSOCKS
meta l4proto tcp tcp dport 1935 counter packets 0
bytes 0 jump REDSOCKS
meta l4proto tcp tcp dport 80 counter packets 0 bytes
0 jump REDSOCKS
meta l4proto tcp tcp dport 21 counter packets 0 bytes
0 jump REDSOCKS
meta l4proto tcp tcp dport 9418 counter packets 0
bytes 0 jump REDSOCKS
tcp dport https counter packets 0 bytes 0 jump REDSOCKS
tcp dport 1935 counter packets 0 bytes 0 jump REDSOCKS
tcp dport http counter packets 0 bytes 0 jump REDSOCKS
tcp dport ftp counter packets 0 bytes 0 jump REDSOCKS
tcp dport git counter packets 0 bytes 0 jump REDSOCKS
}
chain REDSOCKS {
ip daddr 0.0.0.0/8 counter packets 0 bytes 0 return
ip daddr 10.0.0.0/8 counter packets 0 bytes 0 return
ip daddr 127.0.0.0/8 counter packets 0 bytes 0 return
ip daddr 169.254.0.0/16 counter packets 0 bytes 0 return
ip daddr 172.16.0.0/12 counter packets 0 bytes 0 return
ip daddr 192.168.1.0/24 counter packets 0 bytes 0 return
ip daddr 192.168.31.0/24 counter packets 0 bytes 0 return
ip daddr 224.0.0.0/4 counter packets 0 bytes 0 return
ip daddr 240.0.0.0/4 counter packets 0 bytes 0 return
meta l4proto tcp counter packets 0 bytes 0 redirect to :12345
counter packets 0 bytes 0 return
ip daddr 10.0.0.0/8 counter packets 0 bytes 0 return
ip daddr 127.0.0.0/8 counter packets 0 bytes 0 return
ip daddr 169.254.0.0/16 counter packets 0 bytes 0 return
ip daddr 172.16.0.0/12 counter packets 0 bytes 0 return
ip daddr 192.168.1.0/24 counter packets 0 bytes 0 return
ip daddr 192.168.31.0/24 counter packets 0 bytes 0 return
ip daddr 224.0.0.0/4 counter packets 0 bytes 0 return
ip daddr 240.0.0.0/4 counter packets 0 bytes 0 return
ip protocol tcp counter packets 0 bytes 0 redirect to :12345
}
}
table ip mangle {
chain PREROUTING {
type filter hook prerouting priority -150; policy accept;
}
chain INPUT {
type filter hook input priority -150; policy accept;
}
chain FORWARD {
type filter hook forward priority -150; policy accept;
}
chain OUTPUT {
type route hook output priority -150; policy accept;
}
chain POSTROUTING {
type filter hook postrouting priority -150; policy accept;
}
}
Is there anything I'm missing?
Thanks.
--
Bruno Verachten
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: Is it possible to get a transparent proxy with Redsocks when using the new nftables?
2020-03-03 14:27 Is it possible to get a transparent proxy with Redsocks when using the new nftables? Verachten Bruno
@ 2020-03-03 15:57 ` Florian Westphal
2020-03-05 10:35 ` Verachten Bruno
0 siblings, 1 reply; 5+ messages in thread
From: Florian Westphal @ 2020-03-03 15:57 UTC (permalink / raw)
To: Verachten Bruno; +Cc: netfilter
Verachten Bruno <gounthar@gmail.com> wrote:
> I've been using Redsocks for a few months now on a Ubuntu "18.04.3 LTS
> (Bionic Beaver)" machine. This machine has iptables, and not nftables.
> So I have a few rules to redirect 80,443,9048,1935 and so on.
>
> (buster)", which has nftables. I converted the existing rules thanks
> to
>
> iptables-save > save.txt
> iptables-restore-translate -f save.txt > ruleset.nft
> nft -f ruleset.nft
>
> Nothing seems to work, as a git command or anything else is just
> falling in timeout.
> Here is the configuration I get once the rules have been imported:
> table ip filter {
> chain INPUT {
> type filter hook input priority 0; policy accept;
> }
>
> chain FORWARD {
> type filter hook forward priority 0; policy accept;
> }
>
> chain OUTPUT {
> type filter hook output priority 0; policy accept;
> }
> }
The above chains are unneded and can be removed.
> table ip nat {
> chain PREROUTING {
> type nat hook prerouting priority -100; policy accept;
> meta l4proto tcp tcp dport 443 counter packets 0 bytes
> 0 jump REDSOCKS
> meta l4proto tcp tcp dport 1935 counter packets 0
> bytes 0 jump REDSOCKS
meta l4proto tcp tcp dport { 443, 1935 , ... } jump REDSOCKS
> ip daddr 240.0.0.0/4 counter packets 0 bytes 0 return
given all counters are 0 i would guess you use an older kernel
where nft nat and iptables nat cannot coexist.
I suspect you need to unload iptable_nat module.
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: Is it possible to get a transparent proxy with Redsocks when using the new nftables?
2020-03-03 15:57 ` Florian Westphal
@ 2020-03-05 10:35 ` Verachten Bruno
2020-03-05 11:12 ` Florian Westphal
0 siblings, 1 reply; 5+ messages in thread
From: Verachten Bruno @ 2020-03-05 10:35 UTC (permalink / raw)
To: netfilter
> given all counters are 0 i would guess you use an older kernel
> where nft nat and iptables nat cannot coexist.
>
> I suspect you need to unload iptable_nat module.
Thanks for the tip.
As for the kernel, I have:
Linux orangepizero 5.4.20-sunxi #20.02.1 SMP Mon Feb 17 02:09:41 CET
2020 armv7l GNU/Linux
lsmod|grep -i table
ip_tables 24576 0
x_tables 20480 1 ip_tables
I can see ip_tables module, but not iptable_nat module:
lsmod |grep ip|grep table
ip_tables 24576 0
x_tables 20480 1 ip_tables
Once I launch my nft command, I get the same:
lsmod |grep ip|grep table
ip_tables 24576 0
x_tables 20480 1 ip_tables
Once I launch my old ip_tables commands, I then get:
poddingue@orangepizero:~$ lsmod|grep -i table
nf_tables 98304 86 nft_compat,nft_chain_nat,nft_counter
nfnetlink 16384 2 nft_compat,nf_tables
ip_tables 24576 0
x_tables 20480 4 ip_tables,nft_compat,xt_tcpudp,xt_REDIRECT
iptable_nat exists, but is not in use:
sudo modprobe iptable_nat
poddingue@orangepizero:~$ lsmod |grep ip|grep table
iptable_nat 16384 0
nf_nat 32768 1 iptable_nat
ip_tables 24576 1 iptable_nat
x_tables 20480 1 ip_tables
And I can remove it:
sudo modprobe -r iptable_nat
I can't remember which command I use to have this output:
table ip filter {
chain INPUT {
type filter hook input priority 0; policy accept;
}
chain FORWARD {
type filter hook forward priority 0; policy accept;
}
chain OUTPUT {
type filter hook output priority 0; policy accept;
}
}
You suggested me to get rid of this part, but I can't remember where
this came from, unfortunately.
Thanks for your time and patience,
--
Bruno Verachten
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: Is it possible to get a transparent proxy with Redsocks when using the new nftables?
2020-03-05 10:35 ` Verachten Bruno
@ 2020-03-05 11:12 ` Florian Westphal
[not found] ` <CACtV=ddf+pB3Y2EX+jRV=J5MswYouQGwx0P6Zyhe0Ex=OPXHWQ@mail.gmail.com>
0 siblings, 1 reply; 5+ messages in thread
From: Florian Westphal @ 2020-03-05 11:12 UTC (permalink / raw)
To: Verachten Bruno; +Cc: netfilter
Verachten Bruno <gounthar@gmail.com> wrote:
> > given all counters are 0 i would guess you use an older kernel
> > where nft nat and iptables nat cannot coexist.
> >
> > I suspect you need to unload iptable_nat module.
> Thanks for the tip.
> As for the kernel, I have:
> Linux orangepizero 5.4.20-sunxi #20.02.1 SMP Mon Feb 17 02:09:41 CET
> 2020 armv7l GNU/Linux
This kernel is recent so iptables_nat isn't source of your problem.
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: Is it possible to get a transparent proxy with Redsocks when using the new nftables?
[not found] ` <CACtV=ddf+pB3Y2EX+jRV=J5MswYouQGwx0P6Zyhe0Ex=OPXHWQ@mail.gmail.com>
@ 2020-06-25 17:11 ` Verachten Bruno
0 siblings, 0 replies; 5+ messages in thread
From: Verachten Bruno @ 2020-06-25 17:11 UTC (permalink / raw)
To: netfilter
Hi there,
I tried the same thing on an older machine running an old kernel and
Centos 7 (Linux 3.10.0-862.3.3.el7.x86_64 #1 SMP Fri Jun 15 04:15:27
UTC 2018 x86_64 x86_64 x86_64 GNU/Linux).
I have the same RTMP handshaking problem. I read some more about the
handshaking process, and it appears no other port is opened, machines
just exchange specific chunks on the 1935 port.
So... It looks like I have failed configuring correctly iptables or redsocks2.
# Generated by iptables-save v1.4.21 on Thu Jun 25 19:05:27 2020
*mangle
:PREROUTING ACCEPT [227900:207210144]
:INPUT ACCEPT [227900:207210144]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [201078:31493812]
:POSTROUTING ACCEPT [201078:31493812]
COMMIT
# Completed on Thu Jun 25 19:05:27 2020
# Generated by iptables-save v1.4.21 on Thu Jun 25 19:05:27 2020
*filter
:INPUT ACCEPT [227900:207210144]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [201078:31493812]
COMMIT
# Completed on Thu Jun 25 19:05:27 2020
# Generated by iptables-save v1.4.21 on Thu Jun 25 19:05:27 2020
*nat
:PREROUTING ACCEPT [6:864]
:INPUT ACCEPT [6:864]
:OUTPUT ACCEPT [372:24174]
:POSTROUTING ACCEPT [9298:559734]
:REDSOCKS - [0:0]
-A PREROUTING -p tcp -m tcp --dport 443 -j REDSOCKS
-A PREROUTING -p tcp -m tcp --dport 1935 -j REDSOCKS
-A PREROUTING -p tcp -m tcp --dport 80 -j REDSOCKS
-A PREROUTING -p tcp -m tcp --dport 21 -j REDSOCKS
-A PREROUTING -p tcp -m tcp --dport 11371 -j REDSOCKS
-A PREROUTING -p tcp -m tcp --dport 9418 -j REDSOCKS
-A PREROUTING -p tcp -m tcp --dport 9418 -j REDSOCKS
-A PREROUTING -p tcp -m tcp --dport 6380 -j REDSOCKS
-A PREROUTING -p tcp -m tcp --dport 1080 -j REDSOCKS
-A PREROUTING -p tcp -m tcp --dport 1935 -j REDSOCKS
-A OUTPUT -p tcp -m tcp --dport 443 -j REDSOCKS
-A OUTPUT -p tcp -m tcp --dport 1935 -j REDSOCKS
-A OUTPUT -p tcp -m tcp --dport 80 -j REDSOCKS
-A OUTPUT -p tcp -m tcp --dport 21 -j REDSOCKS
-A OUTPUT -p tcp -m tcp --dport 11371 -j REDSOCKS
-A OUTPUT -p tcp -m tcp --dport 9418 -j REDSOCKS
-A OUTPUT -p tcp -m tcp --dport 6380 -j REDSOCKS
-A OUTPUT -p tcp -m tcp --dport 443 -j REDSOCKS
-A OUTPUT -p tcp -m tcp --dport 80 -j REDSOCKS
-A OUTPUT -p tcp -m tcp --dport 1935 -j REDSOCKS
-A REDSOCKS -d 0.0.0.0/8 -j RETURN
-A REDSOCKS -d 10.0.0.0/8 -j RETURN
-A REDSOCKS -d 127.0.0.0/8 -j RETURN
-A REDSOCKS -d 169.254.0.0/16 -j RETURN
-A REDSOCKS -d 172.16.0.0/12 -j RETURN
-A REDSOCKS -d 192.168.1.0/24 -j RETURN
-A REDSOCKS -d 192.168.31.0/24 -j RETURN
-A REDSOCKS -d 224.0.0.0/4 -j RETURN
-A REDSOCKS -d 240.0.0.0/4 -j RETURN
-A REDSOCKS -p tcp -j REDIRECT --to-ports 12345
-A REDSOCKS -d 0.0.0.0/8 -j RETURN
-A REDSOCKS -d 10.0.0.0/8 -j RETURN
-A REDSOCKS -d 127.0.0.0/8 -j RETURN
-A REDSOCKS -d 169.254.0.0/16 -j RETURN
-A REDSOCKS -d 172.16.0.0/12 -j RETURN
-A REDSOCKS -d 192.168.0.0/16 -j RETURN
-A REDSOCKS -d 224.0.0.0/4 -j RETURN
-A REDSOCKS -d 240.0.0.0/4 -j RETURN
-A REDSOCKS -p tcp -j REDIRECT --to-ports 12345
COMMIT
# Completed on Thu Jun 25 19:05:27 2020
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2020-06-25 17:11 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-03-03 14:27 Is it possible to get a transparent proxy with Redsocks when using the new nftables? Verachten Bruno
2020-03-03 15:57 ` Florian Westphal
2020-03-05 10:35 ` Verachten Bruno
2020-03-05 11:12 ` Florian Westphal
[not found] ` <CACtV=ddf+pB3Y2EX+jRV=J5MswYouQGwx0P6Zyhe0Ex=OPXHWQ@mail.gmail.com>
2020-06-25 17:11 ` Verachten Bruno
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.