I have set up OpenWRT 23.05rc2 on a Hyper V VM.
There are two virtual NICs attached, eth0 is br-lan and is set up to be used by other VMs on the virtual switch
eth1 is the WAN and is working fine to connect to my real network.
My plan is to use this setup with mitmproxy
or PolarProxy
to do traffic analysis and monitoring.
End of /etc/config/firewall
#Allow Luci on WAN IP?
config zone
option name 'wan'
list network 'wan'
list network 'wan6'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
#Disallow direct net connections
config rule
option name 'Deny net'
option src 'lan'
option dest 'wan'
option target 'DROP'
list proto 'all'
config include
option path /etc/config/firewall.user
/etc/config/firewall.user
iptables-nft -t mangle -N DIVERT
iptables-nft -t mangle -A PREROUTING -p tcp -m socket -j DIVERT
iptables-nft -t mangle -A DIVERT -j MARK --set-mark 1
iptables-nft -t mangle -A DIVERT -j ACCEPT
iptables-nft -t mangle -A PREROUTING -p tcp --dport 80 -j TPROXY --tproxy-mark 0x1/0x1 --on-port 8888
iptables-nft -t mangle -A PREROUTING -p tcp --dport 443 -j TPROXY --tproxy-mark 0x1/0x1 --on-port 8888
iptables -t mangle -I PREROUTING -s 10.0.1.252/32 -j RETURN #WAN IP
The problem I'm dealing with at the moment: when starting the firewall, I get
iptables v1.8.8 (nf_tables): Couldn't load match
socket':No such file or directory`
Questions:
- How do I set this up with "native" nftables rather than the iptables-nft command line?
- What module is needed for "match socket"?
- What is the correct way to load modules on startup?