Is it possible to get a transparent proxy with Redsocks when using the new nftables?

Is it possible to get a transparent proxy with Redsocks when using the new nftables?

[Verachten Bruno]

Hi List,

I hope I'm on the right list to ask that question. I'm not an expert
by any means on network, so please bear with me.

I've been using Redsocks for a few months now on a Ubuntu "18.04.3 LTS
(Bionic Beaver)" machine. This machine has iptables, and not nftables.
So I have a few rules to redirect 80,443,9048,1935 and so on.

sudo iptables -t nat -A REDSOCKS -p tcp -j REDIRECT --to-ports 12345
sudo iptables -t nat -A OUTPUT -p tcp --dport 443 -j REDSOCKS
sudo iptables -t nat -A OUTPUT -p tcp --dport 1935 -j REDSOCKS
sudo iptables -t nat -A OUTPUT -p tcp --dport 80 -j REDSOCKS
sudo iptables -t nat -A OUTPUT -p tcp --dport 21 -j REDSOCKS
sudo iptables -t nat -A OUTPUT -p tcp --dport 11371 -j REDSOCKS
sudo iptables -t nat -A OUTPUT -p tcp --dport 9418 -j REDSOCKS
sudo iptables -t nat -A OUTPUT -p tcp --dport 6380 -j REDSOCKS
sudo iptables -t nat -A PREROUTING -p tcp --dport 443 -j REDSOCKS
sudo iptables -t nat -A PREROUTING -p tcp --dport 1935 -j REDSOCKS
sudo iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDSOCKS
sudo iptables -t nat -A PREROUTING -p tcp --dport 21 -j REDSOCKS
sudo iptables -t nat -A PREROUTING -p tcp --dport 11371 -j REDSOCKS
sudo iptables -t nat -A PREROUTING -p tcp --dport 9418 -j REDSOCKS
sudo iptables -t nat -A PREROUTING -p tcp --dport 9418 -j REDSOCKS
sudo iptables -t nat -A PREROUTING -p tcp --dport 6380 -j REDSOCKS

I exported those rules to another machine running "Debian GNU/Linux 10
(buster)", which has nftables. I converted the existing rules thanks
to

iptables-save > save.txt
iptables-restore-translate -f save.txt > ruleset.nft
nft -f ruleset.nft

Nothing seems to work, as a git command or anything else is just
falling in timeout.

Here is the configuration I get once the rules have been imported:

table ip filter {
        chain INPUT {
                type filter hook input priority 0; policy accept;
        }

        chain FORWARD {
                type filter hook forward priority 0; policy accept;
        }

        chain OUTPUT {
                type filter hook output priority 0; policy accept;
        }
}
table ip nat {
        chain PREROUTING {
                type nat hook prerouting priority -100; policy accept;
                meta l4proto tcp tcp dport 443 counter packets 0 bytes
0 jump REDSOCKS
                meta l4proto tcp tcp dport 1935 counter packets 0
bytes 0 jump REDSOCKS
                meta l4proto tcp tcp dport 80 counter packets 0 bytes
0 jump REDSOCKS
                meta l4proto tcp tcp dport 21 counter packets 0 bytes
0 jump REDSOCKS
                meta l4proto tcp tcp dport 9418 counter packets 0
bytes 0 jump REDSOCKS
                tcp dport https counter packets 0 bytes 0 jump REDSOCKS
                tcp dport 1935 counter packets 0 bytes 0 jump REDSOCKS
                tcp dport http counter packets 0 bytes 0 jump REDSOCKS
                tcp dport ftp counter packets 0 bytes 0 jump REDSOCKS
                tcp dport git counter packets 0 bytes 0 jump REDSOCKS
        }

        chain INPUT {
                type nat hook input priority 100; policy accept;
        }

        chain POSTROUTING {
                type nat hook postrouting priority 100; policy accept;
        }

        chain OUTPUT {
                type nat hook output priority -100; policy accept;
                meta l4proto tcp tcp dport 443 counter packets 0 bytes
0 jump REDSOCKS
                meta l4proto tcp tcp dport 1935 counter packets 0
bytes 0 jump REDSOCKS
                meta l4proto tcp tcp dport 80 counter packets 0 bytes
0 jump REDSOCKS
                meta l4proto tcp tcp dport 21 counter packets 0 bytes
0 jump REDSOCKS
                meta l4proto tcp tcp dport 9418 counter packets 0
bytes 0 jump REDSOCKS
                tcp dport https counter packets 0 bytes 0 jump REDSOCKS
                tcp dport 1935 counter packets 0 bytes 0 jump REDSOCKS
                tcp dport http counter packets 0 bytes 0 jump REDSOCKS
                tcp dport ftp counter packets 0 bytes 0 jump REDSOCKS
                tcp dport git counter packets 0 bytes 0 jump REDSOCKS
        }

        chain REDSOCKS {
                ip daddr 0.0.0.0/8 counter packets 0 bytes 0 return
                ip daddr 10.0.0.0/8 counter packets 0 bytes 0 return
                ip daddr 127.0.0.0/8 counter packets 0 bytes 0 return
                ip daddr 169.254.0.0/16 counter packets 0 bytes 0 return
                ip daddr 172.16.0.0/12 counter packets 0 bytes 0 return
                ip daddr 192.168.1.0/24 counter packets 0 bytes 0 return
                ip daddr 192.168.31.0/24 counter packets 0 bytes 0 return
                ip daddr 224.0.0.0/4 counter packets 0 bytes 0 return
                ip daddr 240.0.0.0/4 counter packets 0 bytes 0 return
                meta l4proto tcp counter packets 0 bytes 0 redirect to :12345
                counter packets 0 bytes 0 return
                ip daddr 10.0.0.0/8 counter packets 0 bytes 0 return
                ip daddr 127.0.0.0/8 counter packets 0 bytes 0 return
                ip daddr 169.254.0.0/16 counter packets 0 bytes 0 return
                ip daddr 172.16.0.0/12 counter packets 0 bytes 0 return
                ip daddr 192.168.1.0/24 counter packets 0 bytes 0 return
                ip daddr 192.168.31.0/24 counter packets 0 bytes 0 return
                ip daddr 224.0.0.0/4 counter packets 0 bytes 0 return
                ip daddr 240.0.0.0/4 counter packets 0 bytes 0 return
                ip protocol tcp counter packets 0 bytes 0 redirect to :12345
        }
}
table ip mangle {
        chain PREROUTING {
                type filter hook prerouting priority -150; policy accept;
        }

        chain INPUT {
                type filter hook input priority -150; policy accept;
        }

        chain FORWARD {
                type filter hook forward priority -150; policy accept;
        }

        chain OUTPUT {
                type route hook output priority -150; policy accept;
        }

        chain POSTROUTING {
                type filter hook postrouting priority -150; policy accept;
        }
}

Is there anything I'm missing?

Thanks.

-- 
Bruno Verachten

Re: Is it possible to get a transparent proxy with Redsocks when using the new nftables?

[Florian Westphal]

Verachten Bruno <gounthar@gmail.com> wrote:
> I've been using Redsocks for a few months now on a Ubuntu "18.04.3 LTS
> (Bionic Beaver)" machine. This machine has iptables, and not nftables.
> So I have a few rules to redirect 80,443,9048,1935 and so on.
> 
> (buster)", which has nftables. I converted the existing rules thanks
> to
> 
> iptables-save > save.txt
> iptables-restore-translate -f save.txt > ruleset.nft
> nft -f ruleset.nft
> 
> Nothing seems to work, as a git command or anything else is just
> falling in timeout.
> Here is the configuration I get once the rules have been imported:

> table ip filter {
>         chain INPUT {
>                 type filter hook input priority 0; policy accept;
>         }
> 
>         chain FORWARD {
>                 type filter hook forward priority 0; policy accept;
>         }
> 
>         chain OUTPUT {
>                 type filter hook output priority 0; policy accept;
>         }
> }

The above chains are unneded and can be removed.

> table ip nat {
>         chain PREROUTING {
>                 type nat hook prerouting priority -100; policy accept;
>                 meta l4proto tcp tcp dport 443 counter packets 0 bytes
> 0 jump REDSOCKS
>                 meta l4proto tcp tcp dport 1935 counter packets 0
> bytes 0 jump REDSOCKS

meta l4proto tcp tcp dport { 443, 1935 , ... } jump REDSOCKS

>                 ip daddr 240.0.0.0/4 counter packets 0 bytes 0 return

given all counters are 0 i would guess you use an older kernel
where nft nat and iptables nat cannot coexist.

I suspect you need to unload iptable_nat module.

Re: Is it possible to get a transparent proxy with Redsocks when using the new nftables?

[Verachten Bruno]

> given all counters are 0 i would guess you use an older kernel
> where nft nat and iptables nat cannot coexist.
>
> I suspect you need to unload iptable_nat module.
Thanks for the tip.
As for the kernel, I have:
Linux orangepizero 5.4.20-sunxi #20.02.1 SMP Mon Feb 17 02:09:41 CET
2020 armv7l GNU/Linux

lsmod|grep -i table
ip_tables              24576  0
x_tables               20480  1 ip_tables

I can see ip_tables module, but not iptable_nat module:
lsmod |grep ip|grep table
ip_tables              24576  0
x_tables               20480  1 ip_tables

Once I launch my nft command, I get the same:
lsmod |grep ip|grep table
ip_tables              24576  0
x_tables               20480  1 ip_tables

Once I launch my old ip_tables commands, I then get:
poddingue@orangepizero:~$ lsmod|grep -i table
nf_tables              98304  86 nft_compat,nft_chain_nat,nft_counter
nfnetlink              16384  2 nft_compat,nf_tables
ip_tables              24576  0
x_tables               20480  4 ip_tables,nft_compat,xt_tcpudp,xt_REDIRECT

iptable_nat exists, but is not in use:
sudo modprobe iptable_nat
poddingue@orangepizero:~$ lsmod |grep ip|grep table
iptable_nat            16384  0
nf_nat                 32768  1 iptable_nat
ip_tables              24576  1 iptable_nat
x_tables               20480  1 ip_tables

And I can remove it:
sudo modprobe -r iptable_nat

I can't remember which command I use to have this output:
table ip filter {
        chain INPUT {
                type filter hook input priority 0; policy accept;
        }

        chain FORWARD {
                type filter hook forward priority 0; policy accept;
        }

        chain OUTPUT {
                type filter hook output priority 0; policy accept;
        }
}
You suggested me to get rid of this part, but I can't remember where
this came from, unfortunately.

Thanks for your time and patience,
-- 
Bruno Verachten

Re: Is it possible to get a transparent proxy with Redsocks when using the new nftables?

[Florian Westphal]

Verachten Bruno <gounthar@gmail.com> wrote:
> > given all counters are 0 i would guess you use an older kernel
> > where nft nat and iptables nat cannot coexist.
> >
> > I suspect you need to unload iptable_nat module.
> Thanks for the tip.
> As for the kernel, I have:
> Linux orangepizero 5.4.20-sunxi #20.02.1 SMP Mon Feb 17 02:09:41 CET
> 2020 armv7l GNU/Linux

This kernel is recent so iptables_nat isn't source of your problem.

Re: Is it possible to get a transparent proxy with Redsocks when using the new nftables?

[Verachten Bruno]

Hi there,

I tried the same thing on an older machine running an old kernel and
Centos 7 (Linux 3.10.0-862.3.3.el7.x86_64 #1 SMP Fri Jun 15 04:15:27
UTC 2018 x86_64 x86_64 x86_64 GNU/Linux).
I have the same RTMP handshaking problem. I read some more about the
handshaking process, and it appears no other port is opened, machines
just exchange specific chunks on the 1935 port.
So... It looks like I have failed configuring correctly iptables or redsocks2.
# Generated by iptables-save v1.4.21 on Thu Jun 25 19:05:27 2020
*mangle
:PREROUTING ACCEPT [227900:207210144]
:INPUT ACCEPT [227900:207210144]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [201078:31493812]
:POSTROUTING ACCEPT [201078:31493812]
COMMIT
# Completed on Thu Jun 25 19:05:27 2020
# Generated by iptables-save v1.4.21 on Thu Jun 25 19:05:27 2020
*filter
:INPUT ACCEPT [227900:207210144]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [201078:31493812]
COMMIT
# Completed on Thu Jun 25 19:05:27 2020
# Generated by iptables-save v1.4.21 on Thu Jun 25 19:05:27 2020
*nat
:PREROUTING ACCEPT [6:864]
:INPUT ACCEPT [6:864]
:OUTPUT ACCEPT [372:24174]
:POSTROUTING ACCEPT [9298:559734]
:REDSOCKS - [0:0]
-A PREROUTING -p tcp -m tcp --dport 443 -j REDSOCKS
-A PREROUTING -p tcp -m tcp --dport 1935 -j REDSOCKS
-A PREROUTING -p tcp -m tcp --dport 80 -j REDSOCKS
-A PREROUTING -p tcp -m tcp --dport 21 -j REDSOCKS
-A PREROUTING -p tcp -m tcp --dport 11371 -j REDSOCKS
-A PREROUTING -p tcp -m tcp --dport 9418 -j REDSOCKS
-A PREROUTING -p tcp -m tcp --dport 9418 -j REDSOCKS
-A PREROUTING -p tcp -m tcp --dport 6380 -j REDSOCKS
-A PREROUTING -p tcp -m tcp --dport 1080 -j REDSOCKS
-A PREROUTING -p tcp -m tcp --dport 1935 -j REDSOCKS
-A OUTPUT -p tcp -m tcp --dport 443 -j REDSOCKS
-A OUTPUT -p tcp -m tcp --dport 1935 -j REDSOCKS
-A OUTPUT -p tcp -m tcp --dport 80 -j REDSOCKS
-A OUTPUT -p tcp -m tcp --dport 21 -j REDSOCKS
-A OUTPUT -p tcp -m tcp --dport 11371 -j REDSOCKS
-A OUTPUT -p tcp -m tcp --dport 9418 -j REDSOCKS
-A OUTPUT -p tcp -m tcp --dport 6380 -j REDSOCKS
-A OUTPUT -p tcp -m tcp --dport 443 -j REDSOCKS
-A OUTPUT -p tcp -m tcp --dport 80 -j REDSOCKS
-A OUTPUT -p tcp -m tcp --dport 1935 -j REDSOCKS
-A REDSOCKS -d 0.0.0.0/8 -j RETURN
-A REDSOCKS -d 10.0.0.0/8 -j RETURN
-A REDSOCKS -d 127.0.0.0/8 -j RETURN
-A REDSOCKS -d 169.254.0.0/16 -j RETURN
-A REDSOCKS -d 172.16.0.0/12 -j RETURN
-A REDSOCKS -d 192.168.1.0/24 -j RETURN
-A REDSOCKS -d 192.168.31.0/24 -j RETURN
-A REDSOCKS -d 224.0.0.0/4 -j RETURN
-A REDSOCKS -d 240.0.0.0/4 -j RETURN
-A REDSOCKS -p tcp -j REDIRECT --to-ports 12345
-A REDSOCKS -d 0.0.0.0/8 -j RETURN
-A REDSOCKS -d 10.0.0.0/8 -j RETURN
-A REDSOCKS -d 127.0.0.0/8 -j RETURN
-A REDSOCKS -d 169.254.0.0/16 -j RETURN
-A REDSOCKS -d 172.16.0.0/12 -j RETURN
-A REDSOCKS -d 192.168.0.0/16 -j RETURN
-A REDSOCKS -d 224.0.0.0/4 -j RETURN
-A REDSOCKS -d 240.0.0.0/4 -j RETURN
-A REDSOCKS -p tcp -j REDIRECT --to-ports 12345
COMMIT
# Completed on Thu Jun 25 19:05:27 2020