.. _transparent-dhcp: Transparently proxify virtual machines ====================================== This walkthrough illustrates how to set up transparent proxying with mitmproxy. We use VirtualBox VMs with an Ubuntu proxy machine in this example, but the general *Internet <--> Proxy VM <--> (Virtual) Internal Network* setup can be applied to other setups. 1. Configure Proxy VM --------------------- On the proxy machine, **eth0** is connected to the internet. **eth1** is connected to the internal network that will be proxified and configured to use a static ip (192.168.3.1). VirtualBox configuration ^^^^^^^^^^^^^^^^^^^^^^^^ .. image:: transparent-dhcp/step1_vbox_eth0.png .. image:: transparent-dhcp/step1_vbox_eth1.png VM Network Configuration ^^^^^^^^^^^^^^^^^^^^^^^^ .. image:: transparent-dhcp/step1_proxy.png :align: center 2. Configure DHCP and DNS ------------------------- We use dnsmasq to provide DHCP and DNS in our internal network. Dnsmasq is a lightweight server designed to provide DNS (and optionally DHCP and TFTP) services to a small-scale network. - Before we get to that, we need to fix some Ubuntu quirks: **Ubuntu >12.04** runs an internal dnsmasq instance (listening on loopback only) by default `[1] `_. For our use case, this needs to be disabled by changing ``dns=dnsmasq`` to ``#dns=dnsmasq`` in **/etc/NetworkManager/NetworkManager.conf** and if on Ubuntu 16.04 or newer running: >>> sudo systemctl restart NetworkManager if on Ubuntu 12.04 or 14.04 running: >>> sudo restart network-manager afterwards. - Now, dnsmasq can be be installed and configured: >>> sudo apt-get install dnsmasq Replace **/etc/dnsmasq.conf** with the following configuration: .. code-block:: none # Listen for DNS requests on the internal network interface=eth1 # Act as a DHCP server, assign IP addresses to clients dhcp-range=192.168.3.10,192.168.3.100,96h # Broadcast gateway and dns server information dhcp-option=option:router,192.168.3.1 dhcp-option=option:dns-server,192.168.3.1 Apply changes: if on Ubuntu 16.04 or newer: >>> sudo systemctl restart dnsmasq if on Ubuntu 12.04 or 14.04: >>> sudo service dnsmasq restart Your **proxied machine** in the internal virtual network should now receive an IP address via DHCP: .. image:: transparent-dhcp/step2_proxied_vm.png 3. Redirect traffic to mitmproxy ------------------------------------------ To redirect traffic to mitmproxy, we need to add two iptables rules: .. code-block:: none sudo iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j REDIRECT --to-port 8080 sudo iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 443 -j REDIRECT --to-port 8080 4. Run mitmproxy ---------------- Finally, we can run mitmproxy in transparent mode with >>> mitmproxy -T The proxied machine cannot to leak any data outside of HTTP or DNS requests. If required, you can now :ref:`install the mitmproxy certificates on the proxied machine `.