2

I am very new to this, so, sorry if I misquote something. I have a Debian 12 laptop, which has 1 Ethernet NIC (eth3) by itself and 1 USB Ethernet NIC (ethx) I bought. I connect the system as shown below:

Device One --> eth3 --> Debian 12 Laptop (has both layer 2 and layer 3 routing) --> ethx --> Device Two

I want packets to move back and forth, but if a packet from Device One goes to a specific IP address, I want to forward it to Mitmproxy for further investigation; so to 127.0.0.1:8080. For reasons I can't specify here, the Ethernet packets also needs to travel between Device One and Two using my Debian Laptop.
But I can't seem to achieve forwarding the wanted packet into mitmproxy, and back to ethx. I have looked it up on the Internet but couldn't find a solution to my problem. I'd appreciate if anyone knows why I can't intercept those packets. Thanks so much! These are the things I did before writing this post:

  • I create the network bridge using iproute2 package's commands.
  • I activated net.ipv4.ip_forward=1
  • I deleted iptables package to completely hand the forwarding to nftables.
  • I also deleted firewalld package, in case it was blocking something.
  • Here is my /etc/nftables.conf below:
table ip nat {
    chain postrouting {
        type nat hook postrouting priority srcnat; policy accept;
        masquerade
    }

chain prerouting {
    type nat hook prerouting priority dstnat; policy accept;
    ip daddr x.y.z.a tcp dport {80,8080} dnat to 127.0.0.1:8080
}



}
table bridge filter {
    chain forward {
        type filter hook forward priority 0; policy accept;
    }
}
froinchi
  • 21

2 Answers2

3

IP routing and filtering is only applied to packets addressed to your host's MAC specifically. Packets that are sent to a different MAC address either take the shortcut through a bridge (if the interface is part of a bridge), or are discarded (if there's no bridge), either way completely bypassing any IP processing.

So if you want to redirect specific packets, either a) you should remove the bridge, configure the victim host to use you as their IP gateway, and rely on IP-layer forwarding; or b) use the 'brouting' trick to have the bridge lift specific packets to the IP routing layer as if they were sent to your MAC address.

For option b), see nftables: How to get BROUTING behavior like ebtables legacy? for instructions on how achieve it through nftables.

Also, pedantic note: nftables NAT doesn't route anything; it rewrites packets before they are routed. Hence the 'prerouting' hook name.

grawity
  • 501,077
2

Set net.bridge.bridge-nf-call-iptables=1 to enable packet filtering on the bridge.

See Bridge filtering with nftables (PDF) for more details on configuring nftables with bridge interfaces.

MM11
  • 66