No packets coming to ssl proxy port, Is this about the iptables wrong ruleset or directly sslproxy build process?

[samueljaydan]

"make" result:

------------------------------------------------------------------------------
SSLproxy v0.9.5
------------------------------------------------------------------------------
Report bugs at https://github.com/sonertari/SSLproxy/issues/new
Please supply this header for diagnostics when reporting build issues
Before reporting bugs, make sure to try the latest develop branch first:
% git clone -b develop https://github.com/sonertari/SSLproxy.git
------------------------------------------------------------------------------
Via pkg-config: openssl libevent libevent_openssl libevent_pthreads libpcap sqlite3
LIBNET_BASE:    /usr
Build options:  -DHAVE_NETFILTER
Build info:     V:GIT
uname -a:       Linux SSLInspectionDevice 6.1.0-18-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.76-1 (2024-02-01) x86_64 GNU/Linux
------------------------------------------------------------------------------
cc -c -isystem/usr/include -isystem/usr/include/dbus-1.0 -isystem/usr/lib/x86_64-linux-gnu/dbus-1.0/include  -D_GNU_SOURCE -D"PKGLABEL=\"SSLproxy\"" -DHAVE_NETFILTER -D"BUILD_PKGNAME=\"sslproxy\"" -D"BUILD_VERSION=\"v0.9.5\"" -D"BUILD_DATE=\"2024-06-06\"" -D"BUILD_INFO=\"V:GIT\"" -D"BUILD_FEATURES=\"-DHAVE_NETFILTER\"" -g  -std=c99 -Wall -Wextra -pedantic -D_FORTIFY_SOURCE=2 -fstack-protector-all -pthread -O2 -o build.o build.c
cc -L/usr/lib  -pthread -o sslproxy base64.o build.o cache.o cachedsess.o cachefkcrt.o cachemgr.o cachessess.o cachetgcrt.o cert.o dynbuf.o filter.o logbuf.o log.o logger.o logpkt.o main.o nat.o opts.o privsep.o proc.o protoautossl.o protohttp.o protopassthrough.o protopop3.o protosmtp.o protossl.o prototcp.o proxy.o pxyconn.o pxythr.o pxythrmgr.o ssl.o sys.o thrqueue.o url.o util.o -lnet -lssl -lcrypto -levent_openssl -levent_pthreads -levent -lpcap -lsqlite3 

SSLproxy Running Output:

SSLproxy v0.9.5 (built 2024-06-06)
Copyright (c) 2017-2024, Soner Tari <[email protected]>
https://github.com/sonertari/SSLproxy
Copyright (c) 2009-2019, Daniel Roethlisberger <[email protected]>
https://www.roe.ch/SSLsplit
Build info: V:GIT
Features: -DHAVE_NETFILTER
NAT engines: netfilter* tproxy
netfilter: IP_TRANSPARENT IP6T_SO_ORIGINAL_DST
Local process info support: no
compiled against OpenSSL 3.0.11 19 Sep 2023 (300000b0)
rtlinked against OpenSSL 3.0.11 19 Sep 2023 (300000b0)
OpenSSL has support for TLS extensions
TLS Server Name Indication (SNI) supported
OpenSSL is thread-safe with THREADID
OpenSSL has engine support
Using SSL_MODE_RELEASE_BUFFERS
SSL/TLS protocol availability: tls10 tls11 tls12 tls13 
SSL/TLS algorithm availability: !SHA0 RSA DSA ECDSA DH ECDH EC
OpenSSL option availability: SSL_OP_NO_COMPRESSION SSL_OP_NO_TICKET SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION SSL_OP_TLS_ROLLBACK_BUG
compiled against libevent 2.1.12-stable
rtlinked against libevent 2.1.12-stable
compiled against libnet 1.1.6
rtlinked against libnet 1.1.6
compiled against libpcap n/a
rtlinked against libpcap 1.10.3 (with TPACKET_V3)
compiled against sqlite 3.40.1
rtlinked against sqlite 3.40.1
4 CPU cores detected
Generated 2048 bit RSA key for leaf certs.
Global conn opts: negotiate>=tls10<=tls13|ALL:-aNULL|TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256|no ecdhcurve|no leafcrlurl|remove_http_referer|no user_auth_url|300|8192
proxyspecs:
- listen=[127.0.0.1]:65521 ssl|http netfilter
divert addr= [127.0.0.1]:65522
return addr= [127.0.0.1]:0
opts= conn opts: negotiate>=tls10<=tls13|ALL:-aNULL|TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256|no ecdhcurve|no leafcrlurl|remove_http_referer|no user_auth_url|300|8192
divert|utmfw|admin
Loaded Global CA: '/C=A/ST=B/L=C/O=D/OU=E/CN=F/emailAddress=G'
Loaded ProxySpec CA: '/C=A/ST=B/L=C/O=D/OU=E/CN=F/emailAddress=G'
SSL/TLS leaf certificates taken from:
- Global generated on the fly
Privsep fastpath disabled
Created self-pipe [r=4,w=5]
Created chld-pipe [r=6,w=7]
Created socketpair 0 [p=8,c=9]
Created socketpair 1 [p=10,c=11]
Created socketpair 2 [p=12,c=13]
Created socketpair 3 [p=14,c=15]
Created socketpair 4 [p=16,c=17]
Created socketpair 5 [p=18,c=19]
Privsep parent pid 13841
Privsep child pid 13842
Using libevent backend 'epoll'
Event base supports: edge yes, O(1) yes, anyfd no
Received privsep req type 03 sz 9 on srvsock 8
Dropped privs to user nobody group - chroot -
Inserted events:
  0x55fc25b56ce8 [fd  4] Read Persist Internal
  0x55fc25b56ec0 [fd  6] Read Persist Internal
Received privsep req type 00 sz 1 on srvsock 10
  0x55fc25b501c8 [fd  7] Read Persist
Received privsep req type 00 sz 1 on srvsock 12
  0x55fc25b42750 [sig 1] Signal Persist
Received privsep req type 00 sz 1 on srvsock 14
  0x55fc25b544b0 [sig 2] Signal Persist
  0x55fc25b42410 [sig 3] Signal Persist
Received privsep req type 00 sz 1 on srvsock 16
  0x55fc25b543b0 [sig 10] Signal Persist
Received privsep req type 00 sz 1 on srvsock 18
  0x55fc25b303d0 [sig 13] Signal Persist
  0x55fc25b54f60 [sig 15] Signal Persist
  0x55fc25b462b0 [fd  -1] Persist Timeout=1717668679.218821
Active events:
Initialized 8 connection handling threads
Started 8 connection handling threads
Starting main event loop.
^CReceived signal 2
Main event loop stopped (reason=2).
Received privsep req type 00 sz 1 on srvsock 8
Child pid 13842 exited with status 0

uname -a

Linux SSLInspectionDevice 6.1.0-18-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.76-1 (2024-02-01) x86_64 GNU/Linux

iptables:

#
iptables -F
iptables -t mangle -F
iptables -t mangle -X
iptables -t nat -F
iptables -t nat -X
#
sysctl -w net.ipv4.ip_forward=1
iptables -t nat -A PREROUTING -i enp3s0 -p tcp --dport 80 -j REDIRECT --to-port 65521 
iptables -t nat -A PREROUTING -i enp3s0 -p tcp --dport 443 -j REDIRECT --to-port 65521 
iptables -t nat -A POSTROUTING -s 192.168.0.0/16 -o enp2s0 -j MASQUERADE
#

Listening Ports:

tcp        0      0 127.0.0.1:65522         0.0.0.0:*               LISTEN     
tcp        0      0 127.0.0.1:65521         0.0.0.0:*               LISTEN  

Env. Setup Results:

65521 is the running proxy
65522 is my code to capture packets coming to sslproxy
enp2s0: WAN
enp3s0: LAN

Conf File:

# Use CA cert (and key) to sign forged certs.
# Equivalent to -c command line option.
CACert /etc/certs/web.crt
# Use CA key (and cert) to sign forged certs.
# Equivalent to -k command line option.
CAKey /etc/certs/web.key
# Write pid to file.
# Equivalent to -p command line option.
# (default: no pid file)
PidFile /var/run/sslproxy.pid
# Debug mode: run in foreground, log debug messages on stderr.
# Equivalent to -D command line option.
Debug yes
# Close connections after this many seconds of idle time
ConnIdleTimeout 120
# Check for expired connections every this many seconds
ExpiredConnCheckPeriod 10
# Log statistics to syslog
# Equivalent to -J command line option.
LogStats yes
# Log statistics every this many ExpiredConnCheckPeriod periods
StatsPeriod 1
# Remove HTTP header line for Accept-Encoding
RemoveHTTPAcceptEncoding no
# Remove HTTP header line for Referer
RemoveHTTPReferer yes
# Verify peer using default certificates
VerifyPeer no
# When disabled, never add the SNI to forged certificates, even if the SNI
# provided by the client does not match the server certificate's CN/SAN.
# Helps pass the wrong.host test at https://badssl.com.
AllowWrongHost no
#
ProxySpec https 127.0.0.1 65521 up:65522 ua:127.0.0.1

OpenSSL Version:

OpenSSL 3.0.11 19 Sep 2023 (Library: OpenSSL 3.0.11 19 Sep 2023)

Certificates:

openssl rsa -noout -modulus -in web.key | openssl md5
MD5(stdin)= 81229df040450a35dc6bddfc04af5fdc

openssl x509 -noout -modulus -in web.crt | openssl md5
MD5(stdin)= 81229df040450a35dc6bddfc04af5fdc

Not: web.crt is imported to Client Device.

[sonertari]

Yes, the first suspect would be how you redirect packets to SSLproxy, as explained in the last paragraph of Mode of Operation section in README. But I'm not sure how to help you with that.