Nftables/iptables rule for mitm

I'm looking into the security of an IoT device on my network. I have discovered that the server the IoT device communicates with uses a self-signed certificate. That leads me to believe the IoT device should accept any self-signed certificate.

I have set up mitmproxy running on a Kali VM to decrypt the traffic between the IoT device and it's server. I now need to route the traffic through mitmproxy (transparent proxy).

Let's say that my IoT device is on, and mitmproxy is on What rules do I need to set up on OpenWrt to route the traffic correctly? And how is this done now that iptables has been replaced by nftables?

That is a wrong assumption. Just because the server has a self signed certificate doesn't mean that the clients will accept any self signed certificate. The client might as well have a certificate issued by the same self signed CA.

If they are in the same network, you cannot exactly route any traffic. What you can do it duplicate the interesting traffic and mirror it to another interface or try to put the mitmproxy really in the middle.

1 Like

How would that work? I thought TLS didn't use any form of pre shared key?

The certificate handling here seems like a mess overall. I think the client will just accept any certificate I give it.

  1. The domain on the certificate does not match the domain the client connects to.
  2. The domain on the certificate expired years ago.
  3. The domain on the certificate includes the word "test"

Right now they are on different subnets/VLAN, I can change this as needed. I would think there is a way to achieve what I'm looking for? I don't think mirroring the traffic would work, I need to capture traffic in both directions.

Normally the traffic flow goes like this: LAN -> OpenWrt -> WAN
If I could somehow make it go: LAN -> OpenWrt -> SOCKS Proxy
this would be pretty easy, but as far as I know this is not possible. Or perhaps I could do something with policy-based routing??

(in very simplifying way i admit, just some notes:
-1) self signed certificate does not equal to any.
0) a certificate provides identity trust basically, it tells that i am who am claiming to. using trusted cert chain you can be sure this statement is true. if it is a self signed cert does not make you liar, only means CA was not a well known public CA.)

  1. opkg install iptables-nft then iptables-translate "whatever iptables rule" will tell you the nft close ( * ) equivalent
    ( * ) as nftables is not 100% same as iptables it is an atttempt, not everything can be translated.

example, assuming your proxy is listening on 8080

$ iptables-translate -t nat -A PREROUTING -i eth0 -p tcp --dport 443 -j REDIRECT --to-port 80
nft add rule ip nat PREROUTING iifname "eth0" tcp dport 443 counter redirect to :8080

The REDIRECT will not make it mitm as the packet will have changed the destination IP to that of the OpenWrt. You need to make a copy of the packet and feed it to the mitm proxy.

If the clients came preconfigured with the certificate from the same authority, that could work. I don't know the exact details of the devices that you are using, so I am just guessing here.

my example is more about how to use iptables-translate not the complete solution, so thanks pointing out other rule is required.

1 Like