local mitmproxy between dual NICs (iptables)

Question

Here's the physical layout:
IOT_device--eth_cable--router2--eth_cable--usb_eth_interface--linux_box:internal_wifi~~wifi_connection~~router1--eth_cable--modem--internet

Here's what I have successfully set up:
router1 uses 192.168.1.x (interface wlp0)
router2 uses 192.168.2.x (interface eth0)
linux_box has a dedicated IPv4 address on each of the routers
router2 is set to use the address it has dedicated to linux_box as it's IPv4 gateway

Here's what I'm trying to do:
All packet that comes over router2, and arrive at linux_box on eth0, should go to mitmproxy where it can do its thing (including to analyze and decrypt TLSv1.3 traffic of an application with wireshark), and then the packets should continue to wlp0 and pass over router1 on the way to the internet. I also want to catch everything that comes back from the internet in response to these outbound packets, similarly thru mitmproxy (and wireshark etc) before it is passed back across router2.

I've lurked on SO for over a decade now, and this is the first time I have had a need to register an account so that I can ask a question. I want to make sure that absolutely nothing goes between router2 and router1 unless mitmproxy has done its business.

I've read many examples of ways to do individual parts of what I want to do, but I can't figure out how to put all the part together (which is what I usually do when I need to solve a somewhat novel problem). As far as I can tell, iptables rules are sufficient to accomplish this task... but then again, if I knew this to be certain, I would be reading the appropriate parts of the appropriate manuals instead of asking anyone else to take up their time to help.

The example iptables modifications for mitmproxy in transparent mode:
sudo iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 8080
sudo iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 443 -j REDIRECT --to-port 8080
don't provide me much assurance that everything is going to happen exactly as I want it to. As far as I can tell, by consulting the iptables man pages, these just redirect eth0 ports 80 and 443 onto eth0 port 8080. Even if I were absolutely certain that IOT_device would only every attempt to (TLS) communicate over ports 80 and 443 (which I absolutely cannot be sure of), I am unable to confirm via documentation or internet searches (including searching SO), that mitmproxy will use wlp0 on the other-side.

My question is: What iptables rules do I need in-order to accomplish this goal?

If I have the rules in front of me, I know that I can use the aforementioned resources to understand what the rules do, and therefore understand why they do what I want them to do. However, if it is not possible to accomplish my goal with only the use of iptables rules, I am open to other methods.

Thank you for your time!

Answer 1

You are pretty close here. If you want to forward any TCP connection (not just 443 or 80) to a local port you can just remove the port-specific matching part of the rule, ie iptables -t nat -A PREROUTING -i eth0 -p tcp -j REDIRECT --to-port 8080.

What this means is that any TCP traffic that comes in on eth0 that's not part of an existing connection will be NAT'd to port 8080 on the local machine.

For enforcement there are two things you can do.

For ensuring your host does not forward packets you can set the sysctl ipv4.ip_forward=0 and/or set the default policy on the FORWARD chain in the filter table to DROP. What this will do is ensure that any traffic coming to your host goes through some local process.

For ensuring traffic from eth0 only ever goes to port 8080 you should be able to do something like

iptables -t filter -A INPUT -i eth0 -p tcp --dport 8080 -j ACCEPT
iptables -t filter -A INPUT -i eth0 -j DROP

Note, you'll likely want to add some exceptions for ctstate ESTABLISHED, RELATED to the above, otherwise your host won't be able to talk out on that interface, but that's beyond the scope of this question.