Transparent proxying and nftables

voltagex · July 16, 2023, 11:12pm

I have set up OpenWRT 23.05rc2 on a Hyper V VM.
There are two virtual NICs attached, eth0 is br-lan and is set up to be used by other VMs on the virtual switch

eth1 is the WAN and is working fine to connect to my real network.

My plan is to use this setup with mitmproxy or PolarProxy to do traffic analysis and monitoring.

End of /etc/config/firewall

#Allow Luci on WAN IP?
config zone
        option name 'wan'
        list network 'wan'
        list network 'wan6'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'

#Disallow direct net connections
config rule
        option name 'Deny net'
        option src 'lan'
        option dest 'wan'
        option target 'DROP'
        list proto 'all'

config include
        option path /etc/config/firewall.user

/etc/config/firewall.user

iptables-nft -t mangle -N DIVERT
iptables-nft -t mangle -A PREROUTING -p tcp -m socket -j DIVERT
iptables-nft -t mangle -A DIVERT -j MARK --set-mark 1
iptables-nft -t mangle -A DIVERT -j ACCEPT

iptables-nft -t mangle -A PREROUTING -p tcp --dport 80 -j TPROXY --tproxy-mark 0x1/0x1 --on-port 8888
iptables-nft -t mangle -A PREROUTING -p tcp --dport 443 -j TPROXY --tproxy-mark 0x1/0x1 --on-port 8888

iptables -t mangle -I PREROUTING -s 10.0.1.252/32 -j RETURN #WAN IP

The problem I'm dealing with at the moment: when starting the firewall, I get
iptables v1.8.8 (nf_tables): Couldn't load match socket':No such file or directory`

Questions:

How do I set this up with "native" nftables rather than the iptables-nft command line?
What module is needed for "match socket"?
What is the correct way to load modules on startup?

dave14305 · July 17, 2023, 1:07am

It’s not built by default in OpenWrt, but if you build from source, you’d want to enable CONFIG_NFT_SOCKET in the kernel config.

voltagex · July 17, 2023, 1:37am

/lib/modules/5.15.118/nft_socket.ko isn't enough?

dave14305 · July 17, 2023, 1:57am

Oops. See:

voltagex · July 17, 2023, 2:03am

root@OpenWrt:~# opkg install kmod-nf-socket kmod-nft-socket
Package kmod-nf-socket (5.15.118-1) installed in root is up to date.
Package kmod-nft-socket (5.15.118-1) installed in root is up to date.

root@OpenWrt:~# insmod /lib/modules/5.15.118/nf_socket_ipv4.ko
module is already loaded - nf_socket_ipv4
root@OpenWrt:~# insmod /lib/modules/5.15.118/nft_socket.ko
module is already loaded - nft_socket

root@OpenWrt:~# service firewall restart
iptables: Chain already exists.
iptables v1.8.8 (nf_tables): Couldn't load match `socket':No such file or directory

Try `iptables -h' or 'iptables --help' for more information.

pavelgl · July 17, 2023, 6:22am

You are actually using iptables so you need to install other modules.

opkg update; opkg install kmod-ipt-socket iptables-mod-socket kmod-nf-tproxy kmod-ipt-tproxy iptables-mod-tproxy

Here are examples of both syntaxes:

https://docs.kernel.org/networking/tproxy.html

voltagex · July 17, 2023, 6:42am

I thought iptables-nft was supposed to be a wrapper around nftables.