3

I have set up a bridge and would like to redirect HTTP/HTTPS traffic traversing it to a local port (8080) so that I can further process it using mitmproxy.

So far I was using a combination of ebtables & iptables rules. Unfortunately, I had to learn that eatables does not support the table 'broute' anymore and that I should use nftables instead.

enter image description here

Software used:

  • KALI Linux 2019.4
  • nftables v0.9.2
  • mitmproxy v4.0.4

How I created the bridge:

root@kali:~# ip link add name br0 type bridge
root@kali:~# ip link set dev br0 up
root@kali:~# ip link set dev eth0 master br0
root@kali:~# ip link set dev eth2 master br0

My interfaces:

root@kali:~# ifconfig eth0

eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.178.67  netmask 255.255.255.0  broadcast 192.168.178.255
        ether 00:01:c0:1b:4b:31  txqueuelen 1000  (Ethernet)

root@kali:~# ifconfig eth2

eth2: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        ether 00:01:c0:1b:4b:b2  txqueuelen 1000  (Ethernet)

root@kali:~# ifconfig br0

br0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet6 fe80::e8c3:adff:fe19:f804  prefixlen 64  scopeid 0x20<link>
        inet6 2003:e5:3f18:d100:201:c0ff:fe1b:4b31  prefixlen 64  scopeid 0x0<global>
        ether 00:01:c0:1b:4b:31  txqueuelen 1000  (Ethernet)

My routing table:

root@kali:~# route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         fritz.box       0.0.0.0         UG    0      0        0 br0
192.168.178.0   0.0.0.0         255.255.255.0   U     0      0        0 br0

At first, I thought that my goal would be fairly easy to achieve. That said, it turned out that nftables does not (yet) support 'broute' either (see this post). Luckily a workaround was mentioned in the post, too.

Still, it took me quite some time to get it going. So I decided to document what I was doing. Please do not hesitate to comment or offer an even better solution.

Thank you!

Tobi

Tobias
  • 61
  • 1
  • 5

1 Answers1

3

Here is what worked for me:

root@kali:~# nft add table bridge t1
root@kali:~# nft add chain bridge t1 c1 { type filter hook prerouting priority 0\; }
root@kali:~# nft add rule bridge t1 c1 tcp dport 80 meta pkttype set host ether daddr set 00:01:c0:1b:4b:31 counter
root@kali:~# nft add rule bridge t1 c1 tcp dport 443 meta pkttype set host ether daddr set 00:01:c0:1b:4b:31 counter

root@kali:~# nft add table inet t2
root@kali:~# nft add chain inet t2 c2 { type nat hook prerouting priority 0\; }
root@kali:~# nft add rule inet t2 c2 tcp dport 80 counter redirect to 8080
root@kali:~# nft add rule inet t2 c2 tcp dport 443 counter redirect to 8080

The rules in chain "c1" are responsible for changing the ethernet destination address of HTTP(S) traffic to the MAC address of the local device while the rules in chain "c2" are redirecting the tcp destination ports 80/443 to 8080 where mitmproxy is listening to.

Finally, this is how I started mitmproxy:

root@kali:~# mitmproxy —-mode transparent —-showhost —-set block_global=false

It's not perfect, but at least, it seems to work for me.

Tobias
  • 61
  • 1
  • 5
  • I think the “ether daddr set 00:01:c0:1b:4b:31” is not really needed: Setting the pkttype to host already is sufficient for having the packet routed instead of bridged. – Sebastian Marsching Aug 08 '21 at 17:16