2

I'm trying to forward outgoing traffic to a forward proxy called mitmproxy running on my machine. I've tried using the following two approaches (see below), one using ttl and one setting a mark. Unfortunately both of the approaches create a network loop. The mitmproxy docs recommend creating a separate user for mitmproxy and filtering traffic based on user but I'm looking for a way to do it without creating another user. Is there a better way to do this?

MARK approach

Here I redirect a packet if it's not marked, then mark the packet so it's not redirected again.

iptables -t nat -A OUTPUT -p tcp -m mark ! --mark 1 --dport 80 -j REDIRECT --to-port 8080
iptables -t nat -A OUTPUT -p tcp -m mark ! --mark 1 --dport 443  -j REDIRECT --to-port 8080
# set mark
iptables -t mangle -A POSTROUTING -p tcp -j CONNMARK --set-mark 1

delete mark rules with:

iptables -t nat -D OUTPUT -p tcp -m mark ! --mark 1 --dport 80 -j REDIRECT --to-port 8080
iptables -t nat -D OUTPUT -p tcp -m mark ! --mark 1 --dport 443 -j REDIRECT --to-port 8080
iptables -t mangle -D POSTROUTING -p tcp -j CONNMARK --set-mark 1

TTL approach

Here I redirect the packet to the proxy on 8080 if the TTL hasn't been decreased.

iptables -t nat -A OUTPUT -p tcp -m ttl --ttl-gt $TTL_SIZE --dport 80 -j REDIRECT --to-port 8080
iptables -t nat -A OUTPUT -p tcp -m ttl --ttl-gt $TTL_SIZE --dport 443 -j REDIRECT --to-port 8080

delete ttl rules with:

iptables -t nat -D OUTPUT -p tcp -m ttl --ttl-gt $TTL_SIZE --dport 80 -j REDIRECT --to-port 8080
iptables -t nat -D OUTPUT -p tcp -m ttl --ttl-gt $TTL_SIZE --dport 443 -j REDIRECT --to-port 8080
mikeLundquist
  • 151

1 Answers1

2

I adapted this stackoverflow post into the following code that seems to work for me. The thing that I was missing was filtering on the source port.

#! /bin/bash

echo "____BEFORE ANY CHANGES:"
sudo iptables -t nat --line-numbers -n  -L OUTPUT


echo "____CHANGING"


https://docs.mitmproxy.org/stable/howto-transparent/


iptables -t nat -A OUTPUT -p tcp --sport 80 --dport 80 -j REDIRECT --to-port 8080
iptables -t nat -A OUTPUT -p tcp --sport 443 --dport 443 -j REDIRECT --to-port 8080


echo "____CHANGED"
sudo iptables -t nat --line-numbers -n  -L OUTPUT


echo "enter to continue"
read var1


echo "____BEFORE REVERTING:"
sudo iptables -t nat --line-numbers -n  -L OUTPUT


echo "____REVERTING"
iptables -t nat -D OUTPUT -p tcp --sport 80 --dport 80 -j REDIRECT --to-port 8080
iptables -t nat -D OUTPUT -p tcp --sport 443 --dport 443 -j REDIRECT --to-port 8080


echo "____AFTER REVERTING"
sudo iptables -t nat --line-numbers -n  -L OUTPUT
mikeLundquist
  • 151