Hi All!
First of all thanks for reading at all, its very much appreciated that you are taking the time 
My problem:
I would like to use BurpSuite or mitmproxy to monitor some http traffic on my network.
For iptables the following ip tables work quite well (taken from https://wiki.dd-wrt.com/wiki/index.php/Squid_Transparent_Proxy)
# allow routing inside the lan for port 80 without proxy / block continued rewriting?
iptables -t nat -A PREROUTING -i br0 -s $LAN_NET -d $LAN_NET -p tcp --dport 80 -j ACCEPT
# Everything NOT coming from proxy on port 80 tcp is Destination Natted to the proxy
iptables -t nat -A PREROUTING -i br0 ! -s $PROXY_IP -p tcp --dport 80 -j DNAT --to $PROXY_IP:$PROXY_PORT
# everything from the network to the proxy is source natted to the router ip
iptables -t nat -I POSTROUTING -o br0 -s $LAN_NET -d $PROXY_IP -p tcp -j SNAT --to $LAN_IP
# all packages flowing though router from the LAN net directed at the proxy on port x are acceppted
iptables -I FORWARD -i br0 -o br0 -s $LAN_NET -d $PROXY_IP -p tcp --dport $PROXY_PORT -j ACCEPT
However when trying to replicate the same on openwrt/nftables i am running into problems. Running tcpdump on the router my packages seem to be properly rewritten but they never get deliverd to the host running the proxy. When applying the same rule for proxy host, I get packages to show up in my Proxy which makes me believe that packages are just dropped by the firewall. However I am not sure how to debug this.
I am also running wireguard and pbr on this box, I dont think this is causing any issues but I wouldnt be surprised either...
Did anyone successfully setup something like this before? Any pointers on how to debug the packages being dropped?
Any Help would be very much appreciated!
Setup:
I have one wifi connected to a zone called 'proxied-lan' which is exposed over a wifi adapter. The host running the proxy server and the host that I want to capture logs from are in the same zone (192.168.2.1/24)
Host Running Proxy: 192.168.2.129
Host I would like to proxy the traffic from: 192.168.2.100
OpenWrt 23.05.0 r23497-6637af95aa / LuCI openwrt-23.05 branch git-23.236.53405-fc638c8
Here are some further configs:
root@OpenWrt:~# cat /etc/config/firewall
config defaults
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
config zone
option name 'proxied'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'proxied_lan'
option log '1'
config zone
option name 'lan'
list network 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option log '1'
config zone
option name 'wan'
list network 'wan'
list network 'wan6'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
option log '1'
config rule
option name 'Allow Forawds to Proxy'
option target 'ACCEPT'
list dest_ip '192.168.2.129'
list dest_ip '192.168.2.100'
list proto 'tcp'
option dest 'proxied'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config zone
option name 'wire_fw'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
list network 'wireguard'
option log '1'
config forwarding
option src 'lan'
option dest 'wan'
config forwarding
option src 'proxied'
option dest 'wan'
config forwarding
option src 'proxied'
option dest 'wire_fw'
config forwarding
option src 'lan'
option dest 'wire_fw'
config include 'pbr'
option fw4_compatible '1'
option type 'script'
option path '/usr/share/pbr/pbr.firewall.include'
config redirect
option target 'DNAT'
option name 'DNAT to proxy'
option src 'proxied'
option src_dport '80'
option dest_ip '192.168.2.129'
option dest_port '8080'
list proto 'tcp'
option src_ip '192.168.2.100'
config nat
option name 'Dont Rewrite (Target->Proxy)'
option src 'proxied'
option src_ip '192.168.2.100'
option dest_ip '192.168.2.129'
option target 'ACCEPT'
list proto 'all'
config nat
option name 'SNAT (Proxy->LAN)'
option src 'proxied'
option src_ip '192.168.2.1/24'
option dest_ip '192.168.2.129'
option target 'SNAT'
option snat_ip '192.168.2.1'
list proto 'all'
