Mirroring outbound https traffic w/ iptables

Issues related to configuring your network
Post Reply
vtwin@cox.net
Posts: 23
Joined: 2017/02/16 16:41:29

Mirroring outbound https traffic w/ iptables

Post by vtwin@cox.net » 2018/07/22 21:16:59

I have a couple of IOT devices (thermostats) which talk to the mothership with https . They send a packet of data containing a querystring w/ parameters containing such items as current temperature, which I can view on my smartphone via their app.

I'd like to be able to 'mirror' those packets to my own web server so I can inspect the contents of the querystring with a php script and use the data for other purposes. (the thermostats do not care if the certificate matches or not.)

I found some oblique references to iptables -t mangle -j TEE ... which I played around a little with, but to no avail, e.g.

iptables -t mangle -A PREROUTING -i eth0 -s ip.addy.of.thermostat -j TEE --gateway ip.of.internal.https.server

but see no https activity.

I was able to redirect the traffic to the internal web site with DNAT, e.g.:

iptables -t nat -A PREROUTING -p tcp -s ip.addy.of.thermostat --dport 443 -j DNAT --to-destination ip.of.internal.https.server

Which does "work"... in that I can see the querystring and manipulate it in php.... but then the thermostat is not communicating with the mothership and the mothership start complaining it has "lost communication" with thermostat.

Is what I want to accomplish possible?

aks
Posts: 2538
Joined: 2014/09/20 11:22:14

Re: Mirroring outbound https traffic w/ iptables

Post by aks » 2018/08/27 17:42:04

If I'm understanding you correctly ... probably not.

TLS (HTTP over TLS) is designed to provent somebody eaves dropping on a conversation ... exactly what you're trying to do ... it seems.

hunter86_bg
Posts: 1374
Joined: 2015/02/17 15:14:33
Location: Bulgaria
Contact:

Re: Mirroring outbound https traffic w/ iptables

Post by hunter86_bg » 2018/08/28 19:05:55

As far as I know smart switches can define a specific port for mirroring all traffic from the other ports (for packet analisys and debugging issues). , so this should be possible but I'm not sure if it's possible with iptables.
Edit: Have you tried the example on this answer ?
The example provided is where spying machine is '192.168.1.100':

Code: Select all

iptables -t mangle -A PREROUTING -d 192.168.1.15 -j TEE --gateway 192.168.1.100
 iptables -t mangle -A PREROUTING -s 192.168.1.15 -j TEE --gateway 192.168.1.100

Post Reply