Geek Answers Handbook

Failed to configure port forwarding for transparent proxy on Mac OS X

I am trying to configure a transparent proxy on my Mac OS X Lion (10.7.5), so I can use mitmproxy (to intercept SSL traffic from android applications). I followed the steps in the mitmproxy files to configure port forwarding using pf on Mac OS X , and they all went without errors:

$ sudo sysctl -w net.inet.ip.forwarding=1 Password: net.inet.ip.forwarding: 0 -> 1 $ sudo pfctl -f pf.conf No ALTQ support in kernel ALTQ related functions disabled $ sudo pfctl -e No ALTQ support in kernel ALTQ related functions disabled pf enabled

But this did not seem to have any effect. When I go to websites in my browser, it makes a direct request and does not go through the port I specified. Here is the pf.conf file ( pf.conf is my wifi):

 rdr on en1 inet proto tcp to any port 80 -> 127.0.0.1 port 4500 rdr on en1 inet proto tcp to any port 443 -> 127.0.0.1 port 4500
+8
proxy networking portforwarding macos mitmproxy
source share
3 answers

Thanks for stopping by IRC today. I followed this up, and the main problem is that rdr rules apply to inbound traffic. This means that they will NOT redirect traffic coming from the window itself. If you think about it, it is inevitable: we cannot distinguish an outgoing connection from a non-mitmproxy application and an outgoing connection from mitmproxy itself. We can use route-to to send traffic to lo0 and then redirect it, but this causes an endless loop in which mitmproxy's own outgoing connections are also redirected back to mitmproxy.

Since I am a little versed in your use case, I would suggest exploring ways to do this with VirtualBox. The attack plan would be to install the VirtualBox network in bridge mode, and then use the pf rule with a match on the source address to redirect traffic to mitmproxy. This should do what you want, and not cause a singularity in time and space due to infinite redirection.

Please re-launch the IRC channel if you need further hand.

+2
source share

Have you tried net.inet.ip.scopedroute=0 ? From http://lucumr.pocoo.org/2013/1/6/osx-wifi-proxy/ :

Now, if you finish this setup, you will notice that nothing actually works. The reason for this is an error in the OS X kernel, for this it is necessary to turn the net.inet.ip.scopedroute flag to 0. I am not completely sure what it is doing, but the Internet reports that it is breaking the network through user settings. In any case, it fixes ipfw so you can flip it using sysctl:

$ sudo sysctl -w net.inet.ip.scopedroute=0

Unfortunately, in OS X Lion this flag cannot be flipped from userpace, so you need to set it as a boot option and then restart your computer. You can do this by editing the /Library/Preferences/SystemConfiguration/com.apple.Boot.plist file (Continued ...)

+2
source share

Port 8080 is used instead of port 8080. Do you run mitmproxy using the port specification ?: mitmproxy -T -host -p 4500

Have you completed the steps to install the certificate on your Android device? http://mitmproxy.org/doc/certinstall/android.html

Another problem may be the gateway on your Android phone: Preferences - Wi-Fi - Keep on the network you use - Change network - Advanced settings - Set the IP address of your machine as a gateway using mitmproxy.

By the way, I have one warning with the ALTQ function, but it works.

0
source share

More articles:


All Articles