Layer 2 MitM setup:
+------+
| HOST |
+--------+ |------| +--------+
| CLIENT | <--> | MITM | <--> | SERVER |
+--------+ +------+ +--------+
TLDR:
A Rasperry Pi's eth0 is connected to the internet and wlan0 acts as an access point using hostapd. Bridging both interfaces works fine. Redirecting the HTTP(S) traffic on the bridge to the Python mitmproxy does not work. The following commands give the clients connected to the access point internet, but no traffic passes through the Python mitmproxy listening on 8080:
brctl addbr br0
brctl addif br0 eth0
ip link set dev br0 up
echo "denyinterfaces wlan0 eth0" >> /etc/dhcpcd.conf
echo "interface br0" >> /etc/dhcpcd.conf
echo "bridge=br0" >> /etc/hostapd/hostapd.conf
iptables -A PREROUTING -i br0 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8080
iptables -A PREROUTING -i br0 -p tcp -m tcp --dport 443 -j REDIRECT --to-ports 8080
iptables -A POSTROUTING -o eth0 -j MASQUERADE
What I've already tried:
- Going two steps back and setting up a layer 3 NAT MitM
- Going one step forward and setting up a simple network bridge
- Trying to set up the Layer 3 MitM again and googling the problem
Layer 3 MitM setup:
+--------+ +------+ +--------+
| CLIENT | <--> | MITM | <--> | SERVER |
+--------+ +------+ +--------+
The Layer 3 setup didn't worked with the following iptable rules:
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
iptables -t nat -A PREROUTING -i wlan0 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8080
iptables -t nat -A PREROUTING -i wlan0 -p tcp -m tcp --dport 443 -j REDIRECT --to-ports 8080
After adding the folowing additional rules it worked fine and the entire HTTP(S) traffic of the clients connected to the Pi's access point passed through the Python mitmproxy:
iptables -A FORWARD -i eth0 -o wlan0 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i wlan0 -o eth0 -j ACCEPT
Has somebody an explanation for that? I do not understand why, because for a NAT routing it is sufficient to have this single rule:
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
Layer 2 bridge setup
Next I've set up a simple bridge without the intention to intercept any HTTP(S) traffic:
brctl addbr br0
brctl addif br0 eth0
ip link set dev br0 up
echo "denyinterfaces wlan0 eth0" >> /etc/dhcpcd.conf
echo "interface br0" >> /etc/dhcpcd.conf
echo "bridge=br0" >> /etc/hostapd/hostapd.conf
systemctl daemon-reload
This setup worked fine.
Layer 2 MitM setup:
brctl addbr br0
brctl addif br0 eth0
ip link set dev br0 up
echo "denyinterfaces wlan0 eth0" >> /etc/dhcpcd.conf
echo "interface br0" >> /etc/dhcpcd.conf
echo "bridge=br0" >> /etc/hostapd/hostapd.conf
iptables -A PREROUTING -i br0 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8080
iptables -A PREROUTING -i br0 -p tcp -m tcp --dport 443 -j REDIRECT --to-ports 8080
iptables -A POSTROUTING -o eth0 -j MASQUERADE
The clients of the Pi's access point have internet access, but the traffic does not passes through the Python mitmproxy.
With the help of Google I've found out, that iptables by default does not work for a layer 2 bridge and I need to enable that:
modprobe br_netfilter
echo 1 > /proc/sys/net/bridge/bridge-nf-call-iptables
Also some additional tweaks didn't solved the problem:
echo 0 > /proc/sys/net/ipv4/conf/default/rp_filter
echo 0 > /proc/sys/net/ipv4/conf/all/rp_filter
Things have gotten worse as no client connected to the Pi's access point has internet access. I don't see what's the problem. Any ideas?
Maybe that helps:
$ cat /etc/os-release
PRETTY_NAME="Raspbian GNU/Linux 10 (buster)"
