aboutsummaryrefslogtreecommitdiffstats
ModeNameSize
-rw-r--r--.appveyor.yml1262logstatsplain
-rw-r--r--.codecov.yml13logstatsplain
-rw-r--r--.env306logstatsplain
-rw-r--r--.gitattributes62logstatsplain
-rw-r--r--.gitignore172logstatsplain
-rw-r--r--.landscape.yml435logstatsplain
-rw-r--r--.travis.yml1813logstatsplain
-rw-r--r--CHANGELOG19482logstatsplain
-rw-r--r--CONTRIBUTORS3322logstatsplain
-rw-r--r--LICENSE1079logstatsplain
-rw-r--r--MANIFEST.in91logstatsplain
-rw-r--r--README.rst6774logstatsplain
-rw-r--r--dev.ps1362logstatsplain
-rwxr-xr-xdev.sh464logstatsplain
d---------docs1087logstatsplain
d---------examples1272logstatsplain
-rw-r--r--issue_template.md333logstatsplain
d---------mitmproxy904logstatsplain
d---------netlib719logstatsplain
d---------pathod379logstatsplain
d---------release217logstatsplain
-rw-r--r--requirements.txt167logstatsplain
-rw-r--r--setup.cfg431logstatsplain
-rw-r--r--setup.py4530logstatsplain
d---------test141logstatsplain
-rw-r--r--tox.ini547logstatsplain
d---------web296logstatsplain
generated by cgit v1.2.3 (git 2.25.1) at 2026-02-18 06:12:16 +0000
#fff0f0 } /* Literal.String.Backtick */ .highlight .sc { color: #dd2200; background-color: #fff0f0 } /* Literal.String.Char */ .highlight .dl { color: #dd2200; background-color: #fff0f0 } /* Literal.String.Delimiter */ .highlight .sd { color: #dd2200; background-color: #fff0f0 } /* Literal.String.Doc */ .highlight .s2 { color: #dd2200; background-color: #fff0f0 } /* Literal.String.Double */ .highlight .se { color: #0044dd; background-color: #fff0f0 } /* Literal.String.Escape */ .highlight .sh { color: #dd2200; background-color: #fff0f0 } /* Literal.String.Heredoc */ .highlight .si { color: #3333bb; background-color: #fff0f0 } /* Literal.String.Interpol */ .highlight .sx { color: #22bb22; background-color: #f0fff0 } /* Literal.String.Other */ .highlight .sr { color: #008800; background-color: #fff0ff } /* Literal.String.Regex */ .highlight .s1 { color: #dd2200; background-color: #fff0f0 } /* Literal.String.Single */ .highlight .ss { color: #aa6600; background-color: #fff0f0 } /* Literal.String.Symbol */ .highlight .bp { color: #003388 } /* Name.Builtin.Pseudo */ .highlight .fm { color: #0066bb; font-weight: bold } /* Name.Function.Magic */ .highlight .vc { color: #336699 } /* Name.Variable.Class */ .highlight .vg { color: #dd7700 } /* Name.Variable.Global */ .highlight .vi { color: #3333bb } /* Name.Variable.Instance */ .highlight .vm { color: #336699 } /* Name.Variable.Magic */ .highlight .il { color: #0000DD; font-weight: bold } /* Literal.Number.Integer.Long */
---
title: "Transparent Proxying"
menu:
    howto:
        weight: 1
---

# Transparent Proxying

When a transparent proxy is used, traffic is redirected into a proxy at the
network layer, without any client configuration being required. This makes
transparent proxying ideal for those situations where you can't change client
behaviour - proxy-oblivious mobile applications being a common example.

To set up transparent proxying, we need two new components. The first is a
redirection mechanism that transparently reroutes a TCP connection destined for
a server on the Internet to a listening proxy server. This usually takes the
form of a firewall on the same host as the proxy server -
[iptables](http://www.netfilter.org/) on Linux or
[pf](https://en.wikipedia.org/wiki/PF_(firewall)) on OSX. When the proxy
receives a redirected connection, it sees a vanilla HTTP request, without a host
specification. This is where the second new component comes in - a host module
that allows us to query the redirector for the original destination of the TCP
connection.

At the moment, mitmproxy supports transparent proxying on OSX Lion and above,
and all current flavors of Linux.


## Linux

On Linux, mitmproxy integrates with the iptables redirection mechanism to
achieve transparent mode.

### 1. Enable IP forwarding.

{{< highlight bash  >}}
sysctl -w net.ipv4.ip_forward=1
sysctl -w net.ipv6.conf.all.forwarding=1
{{< / highlight >}}

This makes sure that your machine forwards packets instead of rejecting them.

If you want to persist this across reboots, you need to adjust your `/etc/sysctl.conf` or
a newly created `/etc/sysctl.d/mitmproxy.conf` (see [here](https://superuser.com/a/625852)).

### 2. Disable ICMP redirects.

{{< highlight bash  >}}
sysctl -w net.ipv4.conf.all.send_redirects=0
{{< / highlight >}}

If your test device is on the same physical network, your machine shouldn't inform the device that
there's a shorter route available by skipping the proxy.

If you want to persist this across reboots, see above.

### 3. Create an iptables ruleset that redirects the desired traffic to mitmproxy.

Details will differ according to your setup, but the ruleset should look
something like this:

{{< highlight bash  >}}
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 8080
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 443 -j REDIRECT --to-port 8080
ip6tables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 8080
ip6tables -t nat -A PREROUTING -i eth0 -p tcp --dport 443 -j REDIRECT --to-port 8080