Certmitm with OpenWRT

Hi, all.
I have nice OpenWRT setup with multiple VLANs, etc.
Everything works as expected.
I have one device (chinese lawnmower) that I'd like to test with MITM attack as described in https://www.youtube.com/watch?v=3qSxxNvuEtg.
The thing is - I already have the device connected to "untrusted" VLAN, it works and communicates. I can see the DNS queries in the logs.
What I want to do - I have a test machine on different VLAN, where I can run the mitm python "proxy" server.
I can't find any solution how to force the communication from IP address 10.10.70.13, that is directed to external internet address port 8883 to the local proxy on address 10.10.20.61 port 9090.
I've found a lot of tproxy links on the forum here, but all of them refer to iptables and when I try to translate the rules, I find out the table nat, that is referenced in all the how-to's is not existing on the nftables.
Can anyone, please, advise what rules for nftables should I add to make the desired outcome?
note: I don't want the other devices on 10.10.70.x/24 network to go through the mitm proxy, if possible.

Your descriprion matches DNAT.

Thanks.
But all the examples I've found refer to nat table, which on openwrt does not seem to exist.

% nft 'add rule nat prerouting iif eth0 tcp dport { 80, 443 } dnat to 192.168.1.120'
config redirect 'gollum'
        option name 'grasschopper'
        option src 'lan'
        option src_dport '8883'
        option proto 'tcp udp'
        option family 'any'
        option target 'DNAT'
        option dest_ip '10.10.20.61'
        option dest_port '9090'
2 Likes

Thanks! It worked :slight_smile:

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.