[Solved] How to redirect all TCP 80 433 traffic from one device to another?

unknown63 · January 13, 2023, 3:10pm

Hello,

I'm trying to redirect all the traffic made to ports 80 and 443 from one of my devices 192.168.2.12 to the port 8080 of my other device 192.168.2.11

I've set up this:

firewall.@redirect[0]=redirect
firewall.@redirect[0].src='lan'
firewall.@redirect[0].dest_port='8080'
firewall.@redirect[0].dest_ip='192.168.2.11'
firewall.@redirect[0].src_dip='!192.168.2.1'
firewall.@redirect[0].src_ip='192.168.2.12'
firewall.@redirect[0].src_dport='80'
firewall.@redirect[0].name='Phone redirect'
firewall.@redirect[0].proto='tcp' 'udp'
firewall.@redirect[0].dest='lan'

But the client can't connect to anything on port 80, it times out (I've double checked that 192.168.2.11 does not have the firewall enabled)

Basically what I want is to MitM myself to figure out all the traffic that's generated by my phone, .12 is the phone and .11 is my desktop running mitmproxy, they are both connected through 192.168.2.1 the OpenWRT router.

pavelgl · January 13, 2023, 3:41pm

Try enabling masquerading in the lan zone or (better) create a SNAT rule like this

uci add firewall nat
uci set firewall.@nat[-1].name='SNAT_rule'
uci set firewall.@nat[-1].src='lan'
uci set firewall.@nat[-1].target='SNAT'
uci set firewall.@nat[-1].dest_ip='192.168.2.11'
uci set firewall.@nat[-1].snat_ip='192.168.2.1'
uci set firewall.@nat[-1].src_ip='192.168.2.12'
uci set firewall.@nat[-1].proto='all'

unknown63 · January 13, 2023, 3:53pm

Thank you for your reply.

I removed the redirect rule and added the one you suggested, without luck, my phone connects to httpforever.com without problem, and my desktop 192.168.2.11 does not receive any requests.

I tried to modify it like this to reduce the "debug area" but still doesn't work:

firewall.@nat[0]=nat
firewall.@nat[0].name='SNAT_rule'
firewall.@nat[0].src='lan'
firewall.@nat[0].target='SNAT'
firewall.@nat[0].dest_ip='192.168.2.11'
firewall.@nat[0].snat_ip='192.168.2.1'
firewall.@nat[0].src_ip='192.168.2.12'
firewall.@nat[0].proto='tcp' 'udp'
firewall.@nat[0].dest_port='80'

pavelgl · January 13, 2023, 3:57pm

You need both rules. The SNAT rule should fix the "triangle routing problem" if that is the cause of the issue.

[EDIT]
Please do not modify the SNAT rule I suggested. The destination port in your rule is wrong.

lleachii · January 13, 2023, 4:11pm

These 2 IPs are in the same subnet, no traffic passes the OpenWrt firewall/routing plane for them to establish connection. So making rules there won't work.

Placing the 2 devices in different networks - you could make such a rule that could work.

unknown63 · January 13, 2023, 4:20pm

It worked! HTTP traffic is intercepted properly, and the HTTPs is apparently too, I just need to figure out the SSL certs, but that's a whole different thing, thank you!

This is what I've added:

firewall.@nat[0]=nat
firewall.@nat[0].name='SNAT_rule'
firewall.@nat[0].src='lan'
firewall.@nat[0].target='SNAT'
firewall.@nat[0].dest_ip='192.168.2.11'
firewall.@nat[0].snat_ip='192.168.2.1'
firewall.@nat[0].src_ip='192.168.2.12'
firewall.@nat[0].proto='tcp'
firewall.@redirect[0]=redirect
firewall.@redirect[0].src='lan'
firewall.@redirect[0].dest_port='8080'
firewall.@redirect[0].dest_ip='192.168.2.11'
firewall.@redirect[0].src_dip='!192.168.2.1'
firewall.@redirect[0].src_ip='192.168.2.12'
firewall.@redirect[0].name='Phone redirect'
firewall.@redirect[0].proto='tcp'
firewall.@redirect[0].dest='lan'
firewall.@redirect[0].src_dport='80-443'

lleachii · January 13, 2023, 5:57pm

My bad, I see one of the IPs is the router. Glad you got it working!

system · January 23, 2023, 5:58pm

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.