search

sonertari / SSLproxy

Transparent SSL/TLS proxy for decrypting and diverting network traffic to other programs, such as UTM services, for deep SSL inspection
BSD 2-Clause "Simplified" License
385 stars 100 forks source link

Error from getsockopt(SO_ORIGINAL_DST): No such file or directory Connection not found in NAT state table, aborting connection / using Docker #32

Closed Lo0815 closed 3 years ago

Lo0815 commented 3 years ago

Hi when i try to run the SSLProxy (same with Sslplit) inside a Docker Container i always get the folllowing Error Can you tell what is going wrong here or is it a bug?

sslproxy -D4 -k /SSLproxy/test.key -c /SSLproxy/test.crt -l connect.log -J -S /SSLproxy/logdir -Y /SSLproxy/pcaplogdir https 0.0.0.0 8443 up:1212
| Warning: -F requires a privileged operation for each connection!
| Warning: -Y requires a privileged operation for each connection!
| Privileged operations require communication between parent and child process
| and will negatively impact latency and performance on each connection.
SSLproxy v0.8.3-3-g1bb5bd2 (built 2021-08-16)
Copyright (c) 2017-2021, Soner Tari <sonertari@gmail.com>
https://github.com/sonertari/SSLproxy
Copyright (c) 2009-2019, Daniel Roethlisberger <daniel@roe.ch>
https://www.roe.ch/SSLsplit
Build info: V:GIT
Features: -DHAVE_NETFILTER
NAT engines: netfilter* tproxy
netfilter: IP_TRANSPARENT IP6T_SO_ORIGINAL_DST
Local process info support: no
compiled against OpenSSL 1.1.1  11 Sep 2018 (1010100f)
rtlinked against OpenSSL 1.1.1  11 Sep 2018 (1010100f)
OpenSSL has support for TLS extensions
TLS Server Name Indication (SNI) supported
OpenSSL is thread-safe with THREADID
OpenSSL has engine support
Using SSL_MODE_RELEASE_BUFFERS
SSL/TLS protocol availability: tls10 tls11 tls12 tls13 
SSL/TLS algorithm availability: !SHA0 RSA DSA ECDSA DH ECDH EC
OpenSSL option availability: SSL_OP_NO_COMPRESSION SSL_OP_NO_TICKET SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION SSL_OP_TLS_ROLLBACK_BUG
compiled against libevent 2.1.8-stable
rtlinked against libevent 2.1.8-stable
compiled against libnet 1.1.6
rtlinked against libnet 1.1.6
compiled against libpcap n/a
rtlinked against libpcap 1.8.1
compiled against sqlite 3.22.0
rtlinked against sqlite 3.22.0
8 CPU cores detected
Generated 2048 bit RSA key for leaf certs.
Global SSL/TLS protocol: negotiate>=tls10<=tls13
proxyspecs:
- listen=[0.0.0.0]:8443 ssl|http netfilter
parent dst addr= [127.0.0.1]:1212
child src addr= [127.0.0.1]:0
opts=|ALL:-aNULL|TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256|no ecdhcurve|no leafcrlurl|remove_http_referer|verify_peer|no user_auth_url|300|||8192
SSL/TLS protocol: negotiate>=tls10<=tls13
Loaded CA: '/C=AUT/ST=Austria/L=Innsbruck/O=Uni/OU=test/CN=testl/emailAddress=test@test.de'
Loaded ProxySpec CA: '/C=AUT/ST=Austria/L=Innsbruck/O=Uni/OU=test/CN=test/emailAddress=test@test.de'
SSL/TLS leaf certificates taken from:
- Global generated on the fly
Privsep fastpath disabled
Created self-pipe [r=6,w=7]
Created chld-pipe [r=8,w=9]
Created socketpair 0 [p=10,c=11]
Created socketpair 1 [p=12,c=13]
Created socketpair 2 [p=14,c=15]
Created socketpair 3 [p=16,c=17]
Created socketpair 4 [p=18,c=19]
Created socketpair 5 [p=20,c=21]
Privsep parent pid 15
Privsep child pid 16
Using libevent backend 'epoll'
Event base supports: edge yes, O(1) yes, anyfd no
Received privsep req type 03 sz 9 on srvsock 10
Dropped privs to user nobody group - chroot -
Received privsep req type 00 sz 1 on srvsock 12
Inserted events:
Received privsep req type 00 sz 1 on srvsock 20
  0x55ba807e79b8 [fd  7] Read Persist Internal
  0x55ba807e7b90 [fd  9] Read Persist Internal
  0x55ba807e7fa8 [fd  10] Read Persist
  0x55ba807e53c0 [sig 1] Signal Persist
  0x55ba807e7540 [sig 2] Signal Persist
  0x55ba807e72a0 [sig 3] Signal Persist
  0x55ba807e8460 [sig 10] Signal Persist
  0x55ba807e76d0 [sig 13] Signal Persist
  0x55ba807e6c40 [sig 15] Signal Persist
  0x55ba807e8590 [fd  -1] Persist Timeout=1629129104.868612
Active events:
Initialized 16 connection handling threads
Started 16 connection handling threads
Starting main event loop.
Error from getsockopt(SO_ORIGINAL_DST): No such file or directory
Connection not found in NAT state table, aborting connection

Error from getsockopt(SO_ORIGINAL_DST): No such file or directory
Connection not found in NAT state table, aborting connection
Error from getsockopt(SO_ORIGINAL_DST): No such file or directory
Connection not found in NAT state table, aborting connection
Error from getsockopt(SO_ORIGINAL_DST): No such file or directory
Connection not found in NAT state table, aborting connection
Error from getsockopt(SO_ORIGINAL_DST): No such file or directory
Connection not found in NAT state table, aborting connection
Error from getsockopt(SO_ORIGINAL_DST): No such file or directory
Connection not found in NAT state table, aborting connection
Error from getsockopt(SO_ORIGINAL_DST): No such file or directory
Connection not found in NAT state table, aborting connection
Error from getsockopt(SO_ORIGINAL_DST): No such file or directory
Connection not found in NAT state table, aborting connection
Error from getsockopt(SO_ORIGINAL_DST): No such file or directory
Connection not found in NAT state table, aborting connection
Error from getsockopt(SO_ORIGINAL_DST): No such file or directory
Connection not found in NAT state table, aborting connection
Error from getsockopt(SO_ORIGINAL_DST): No such file or directory
Connection not found in NAT state table, aborting connection
Error from getsockopt(SO_ORIGINAL_DST): No such file or directory
Connection not found in NAT state table, aborting connection
Error from getsockopt(SO_ORIGINAL_DST): No such file or directory
Connection not found in NAT state table, aborting connection
Error from getsockopt(SO_ORIGINAL_DST): No such file or directory
Connection not found in NAT state table, aborting connection
Error from getsockopt(SO_ORIGINAL_DST): No such file or directory
Connection not found in NAT state table, aborting connection

I expose the Port 8443 to the host system

sudo docker run -it -p 8443:8443 testssl

and redirect the traffic from 443 to the port 8443 (on the host) 

sudo sysctl -w net.ipv4.ip_forward=1

sudo iptables -t nat -A PREROUTING -i wlp3s0 -p tcp --dport 443 -j REDIRECT --to-port 8443

Thanks in advance

sonertari commented 3 years ago

I have never used docker. But the error says that the connection is not in the NAT table. As you probably know by now, sslproxy and sslsplit ask the NAT engine of the system the connection information, such as the source and destination addresses. If the NAT engine does not know such info, then sslproxy and sslsplit are clueless and should terminate the connection, as they do in your tests. As I said I am not familiar with docker, so I don't know why the NAT engine of the system running in a docker container does not have that info. (Perhaps it is not supposed to, because perhaps that's the purpose of containerization? I guess I should learn more about such environments, and try running sslproxy in them myself.)

Lo0815 commented 3 years ago

I find a workaround using --net=host option to access the host network. Maybe this will help others with the same problem.

Thank you for your help