[Solved] How to redirect all TCP 80 433 traffic from one device to another?

Hello,

I'm trying to redirect all the traffic made to ports 80 and 443 from one of my devices 192.168.2.12 to the port 8080 of my other device 192.168.2.11

I've set up this:

firewall.@redirect[0]=redirect
firewall.@redirect[0].src='lan'
firewall.@redirect[0].dest_port='8080'
firewall.@redirect[0].dest_ip='192.168.2.11'
firewall.@redirect[0].src_dip='!192.168.2.1'
firewall.@redirect[0].src_ip='192.168.2.12'
firewall.@redirect[0].src_dport='80'
firewall.@redirect[0].name='Phone redirect'
firewall.@redirect[0].proto='tcp' 'udp'
firewall.@redirect[0].dest='lan'

But the client can't connect to anything on port 80, it times out (I've double checked that 192.168.2.11 does not have the firewall enabled)

Basically what I want is to MitM myself to figure out all the traffic that's generated by my phone, .12 is the phone and .11 is my desktop running mitmproxy, they are both connected through 192.168.2.1 the OpenWRT router.

Try enabling masquerading in the lan zone or (better) create a SNAT rule like this

uci add firewall nat
uci set firewall.@nat[-1].name='SNAT_rule'
uci set firewall.@nat[-1].src='lan'
uci set firewall.@nat[-1].target='SNAT'
uci set firewall.@nat[-1].dest_ip='192.168.2.11'
uci set firewall.@nat[-1].snat_ip='192.168.2.1'
uci set firewall.@nat[-1].src_ip='192.168.2.12'
uci set firewall.@nat[-1].proto='all'

Thank you for your reply.

I removed the redirect rule and added the one you suggested, without luck, my phone connects to httpforever.com without problem, and my desktop 192.168.2.11 does not receive any requests.

I tried to modify it like this to reduce the "debug area" but still doesn't work:

firewall.@nat[0]=nat
firewall.@nat[0].name='SNAT_rule'
firewall.@nat[0].src='lan'
firewall.@nat[0].target='SNAT'
firewall.@nat[0].dest_ip='192.168.2.11'
firewall.@nat[0].snat_ip='192.168.2.1'
firewall.@nat[0].src_ip='192.168.2.12'
firewall.@nat[0].proto='tcp' 'udp'
firewall.@nat[0].dest_port='80'

You need both rules. The SNAT rule should fix the "triangle routing problem" if that is the cause of the issue.

[EDIT]
Please do not modify the SNAT rule I suggested. The destination port in your rule is wrong.

These 2 IPs are in the same subnet, no traffic passes the OpenWrt firewall/routing plane for them to establish connection. So making rules there won't work.

Placing the 2 devices in different networks - you could make such a rule that could work.

It worked! HTTP traffic is intercepted properly, and the HTTPs is apparently too, I just need to figure out the SSL certs, but that's a whole different thing, thank you!

This is what I've added:

firewall.@nat[0]=nat
firewall.@nat[0].name='SNAT_rule'
firewall.@nat[0].src='lan'
firewall.@nat[0].target='SNAT'
firewall.@nat[0].dest_ip='192.168.2.11'
firewall.@nat[0].snat_ip='192.168.2.1'
firewall.@nat[0].src_ip='192.168.2.12'
firewall.@nat[0].proto='tcp'
firewall.@redirect[0]=redirect
firewall.@redirect[0].src='lan'
firewall.@redirect[0].dest_port='8080'
firewall.@redirect[0].dest_ip='192.168.2.11'
firewall.@redirect[0].src_dip='!192.168.2.1'
firewall.@redirect[0].src_ip='192.168.2.12'
firewall.@redirect[0].name='Phone redirect'
firewall.@redirect[0].proto='tcp'
firewall.@redirect[0].dest='lan'
firewall.@redirect[0].src_dport='80-443'

My bad, I see one of the IPs is the router. Glad you got it working!

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.