MITM on KVM Guests10 Nov 2012 in Security
I run a KVM virtualization system as part of my test lab. I often want to redirect traffic to an intermediate application (such as sslsniff) on the host. Supposing I have a guest on interface vnet7, bridged to br10, with the host running on 192.168.1.10 the following ebtables & iptables magic gets the job done:
ebtables -t broute -A BROUTING -p IPv4 -i vnet7 --ip-proto tcp --ip-dport 443 -j redirect --redirect-target DROP iptables -t nat -A PREROUTING -i vnet7 -p tcp --dport 443 -j DNAT --to-destination 192.168.1.10:9999
Note that you can't use -j REDIRECT, as that's (roughly) equivalent to DNAT to the IP of the incoming interface, but bridged virtual network interfaces (vnet7) have no IP address.