lab - targeted ssl-interception with xt_tls

FAIL: although the rule shows up, xt_tls is not capable of handling table nat chain prerouting

introduction

we are trying to intercept a specific SNI e.g. nethence.com and split its traffic towards an ssl-interception engine. although polarproxy is not the best, that’s what we got here.

the interception host is a nat gateway (here a KVM host with nftables-managed SNAT).

the goal is to determine if xt_tls only grabs the ssl client hello, or if we could manage to grab targeted ssl sessions as a whole.

ssl-interception

on the interception host

# TODO restrict to localhost
polar/PolarProxy -v -p 8443,8080 \
        --certhttp 10080 \
        -o /data/polar-capture

netstat -lntup | grep :8443

sni split-up

on the interception host

modprobe xt_tls
nic=dummybr0

first check that overall 443/tcp interception works

    iptables -t nat -A PREROUTING -i $nic -p tcp --dport 443 -j REDIRECT --to-port 8443

and clean-up

    iptables -t nat -D PREROUTING -i $nic -p tcp --dport 443 -j REDIRECT --to-port 8443

then go for the fine-tuned SNI

    iptables -t nat -A PREROUTING -i $nic -p tcp --dport 443 \
    -m tls --tls-host "nethence.com" \
    -j REDIRECT --to-port 8443

#iptables -t nat -nvL
nft list ruleset

acceptance

from a remote host that uses the interception host as a gateway

apt install lynx curl

those ones should still work

curl -I https://pub.nethence.com/
curl -I https://www.opendns.com/

that one should be intercepted

curl -I https://nethence.com/
lynx -head -dump https://nethence.com/

==> works only with the casual tcp interception. the traffic simply goes through when attempting to use the sni.

clean-up

iptables -t nat -D PREROUTING -i $nic -p tcp --dport 443 \
    -m tls --tls-host "nethence.com" \
    -j REDIRECT --to-port 8443

conclusion

NOT POSSIBLE - here is why

https://github.com/Lochnair/xt_tls/issues/19

https://github.com/Lochnair/xt_tls/issues/35

troubleshooting

when trying -j REDIRECT against the OUTPUT chain

iptables v1.8.7 (nf_tables):  RULE_APPEND failed (Invalid argument): rule in chain OUTPUT

==> apparently that’s a no go, we have to use the nat table PREROUTING chain

resources

https://unix.stackexchange.com/questions/144497/in-iptables-what-is-the-difference-between-targets-dnat-and-redirect

https://serverfault.com/questions/179200/difference-beetween-dnat-and-redirect-in-iptables

alternatives

https://github.com/dlundquist/sniproxy https://gist.github.com/pjamar/6812af8354746f9bffd0

https://github.com/XIU2/SNIProxy/releases

https://docs.sandstorm.io/en/latest/administering/sniproxy/

https://github.com/ameshkov/sniproxy

https://github.com/dlundquist/sniproxy

https://github.com/atenart/sniproxy

https://github.com/lancachenet/sniproxy

https://lancache.net/docs/containers/sniproxy/

moar

https://netfiltersdk.com/help/ProtocolFilters/FT_SSL.htm


HOME | GUIDES | LECTURES | LAB | SMTP HEALTH | HTML5 | CONTACT
Copyright © 2023 Pierre-Philipp Braun