How To: Redirect HTTP Traffic to Proxy Using iptables

Invisible Traffic

Proxy Madness

Using Squid or any other proxy for transparent caching/filtering of HTTP traffic has many benefits, being for logging purposes or the aforementioned use-cases, keeping every client configured can be a nuance. Networking equipment from Cisco and Juniper has the ability to redirect all passing HTTP traffic, in IOS and JunOS respectively, to the desired proxy.

A more cost-effective solution is to use a Linux box inline the client network and the “Internet”, redirecting HTTP traffic to a separate transparent proxy box, before it reaches the Internet.

Another, more realistic (…), use case. Is to use the transparent caching proxy server inline the VPN Server, VPN Client and the Internet. Example below.

VPN Client --> VPN Server --> Caching Transparent Proxy --> Internet

The benefit being that the VPN Server can resend cached content to the VPN Client, reducing latency for the server and the connection as a whole.

The Solution

Using the example above, traffic redirection using iptables most efficiently takes place on the VPN Server.

Below is the required configuration:
~# iptables -t nat -A PREROUTING -i [TUNNELIFACE] -p tcp -m tcp --dport 80 -j DNAT --to-destination [PROXYIP]:[PROXYPORT]

Working example:
~# iptables -t nat -A PREROUTING -i tun0 -p tcp -m tcp --dport 80 -j DNAT --to-destination

As an end note. For best results and lowest possible latency, the VPN Server and Caching Transparent Proxy should be on the same network, preferably on the same network switch.

Happy Caching!

How To: Netcat – Check for open ports with the command line

NetCat PortKitty Port-checking

When troubleshooting a network integration or any other connection issue in Linux, step one is usually a matter of checking to see if the network port on the other side is even responding.

Netcat -The network Swiss Army knife (Hobbit, not nmap)- is the right tool for the job.

Before we begin, NetCat needs to be installed.

# RHEL / CentOS
~$ yum install nc

# Debian / Ubuntu
~$ apt-get install nc

Once installed, you can invoke Netcat like so:

[REMOTE_SERVER] – The server to be checked
[PORT] – The service/port to be checked



Connection to 443 port [tcp/https] succeeded!

How To: List what Procs are using the Lib in Linux


Find the Procs

After upgrading an important package in Linux -or other Unix variant- that provides a library used by many other processes. Instead of restarting the server for the new lib to take effect, the procs can be restarted -or HUPed- individually.

Before we begin, lsof needs to be installed.
# RHEL / CentOS
~$ yum install lsof

# Debian / Ubuntu
~$ apt-get install lsof

In the following example, we list what processes are using the libcrypto library in Raspbian.
~$ lsof /usr/lib/arm-linux-gnueabihf/
sshd 551 root mem REG 179,2 1418532 10074 /usr/lib/arm-linux-gnueabihf/
ntpd 2321 ntp mem REG 179,2 1418532 10074 /usr/lib/arm-linux-gnueabihf/
sshd 6643 root mem REG 179,2 1418532 10074 /usr/lib/arm-linux-gnueabihf/
sshd 6649 meow mem REG 179,2 1418532 10074 /usr/lib/arm-linux-gnueabihf/
openvpn 30044 nobody mem REG 179,2 1418532 10074 /usr/lib/arm-linux-gnueabihf/

Next, the affected processes can be restarted:
~$ service [SERVICENAME] restart
~$ systemctl restart [SERVICENAME]
~$ kill -HUP 31337

How To: Encrypt/Decrypt File with OpenSSL


Encrypt/Decrypt File

When security and integrity of a file is critical, such as with x509 certificates or other important documents, OpenSSL or other variant can be used to secure the file. With strong encryption and -hopefully- a strong password.

OpenSSL is generally available on all UNIX variants, downloadable as an executable for Windows and is also used with many other applications through the LibCrypto library.

If you need help picking a strong password, I’d recommend StrongPasswordGenerator.Com. Never share the password with the receiving party over the same medium as the file transmission. Send it Out-Of-Band over a SMS or Telephone Call or similar.

In the following example, we take a file and encrypt it using AES-256-CBC, protecting it using a password and adding a salt for extra randomness. The output is added to a newly created file.

~$ openssl enc -salt -aes-256-cbc -in TuxPics.tgz -out TuxPics.tgz.enc
enter aes-256-cbc encryption password: q55Tc9Hp68-Ry4d
Verifying - enter aes-256-cbc encryption password: q55Tc9Hp68-Ry4d

The content of TuxFiles.tgz.enc is perceived as a random binary string to EVE when in transit on the open network.

In the next example, we do the reverse action. Decrypting the file using the same password and appending the output to a new file.

~$ openssl enc -aes-256-cbc -d -in TuxFiles.tgz.enc > TuxFiles.tgz
enter aes-256-cbc decryption password: q55Tc9Hp68-Ry4d

In case the file type is not known from the decrytion result (stdout), the “file” command can be used when running Linux.

~$ file TuxPics
TuxPics: gzip compressed data

Have fun!

How To: Run a Command Quickly on Remote Server using SSH

Linux "Cluster"

When working in a clustered Linux environment containing two or more servers, it is not uncommon to switch back and forth between the hosts. Even if it’s running one command.

SSH is a powerful tool, it can do allot more than act as remote shell or tunnel traffic. One of those features is sending a command string to the server and fetching the output.

Assuming that you have access and privileged user on the remote server, the command works as follows

~$ ssh "netstat -tulpna|grep -i established"'s password: *****

For an even more awesome experience, consider authenticating using ssh-key’s.