1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
|
---
title: "Transparently Proxying VMs"
menu:
howto:
weight: 3
---
# Transparently proxify virtual machines
This walkthrough illustrates how to set up transparent proxying with
mitmproxy. We use VirtualBox VMs with an Ubuntu proxy machine in this
example, but the general *Internet \<--\> Proxy VM \<--\> (Virtual)
Internal Network* setup can be applied to other setups.
## 1. Configure Proxy VM
First, we have to find out under which name Ubuntu has mapped our network interfaces. You can find this information with:
{{< highlight bash >}}
ip link
{{< / highlight >}}
Usually with Ubuntu and Virtualbox, **eth0** or **enp0s3** (Ubuntu 15.10 and newer) is connected to the internet and **eth1** or **enp0s8** (Ubuntu 15.10 and newer) is connected to the internal network that will be proxified and configured to use a static ip (192.168.3.1). If the names differ, use the ones you got from the *ip link* command.
### VirtualBox configuration
{{< figure src="/transparent-vms/step1_vbox_eth0.png" >}}
{{< figure src="/transparent-vms/step1_vbox_eth1.png" >}}
### VM Network Configuration
{{< figure src="/transparent-vms/step1_proxy.png" >}}
## 2. Configure DHCP and DNS
We use dnsmasq to provide DHCP and DNS in our internal network. Dnsmasq is a
lightweight server designed to provide DNS (and optionally DHCP and TFTP)
services to a small-scale network. Before we get to that, we need to fix some
Ubuntu quirks: **Ubuntu \>12.04** runs an internal dnsmasq instance (listening
on loopback only) by default
[\[1\]](https://www.stgraber.org/2012/02/24/dns-in-ubuntu-12-04/). For our use
case, this needs to be disabled by changing `dns=dnsmasq` to `#dns=dnsmasq` in
**/etc/NetworkManager/NetworkManager.conf** and if on Ubuntu 16.04 or newer
running:
{{< highlight bash >}}
sudo systemctl restart NetworkManager
{{< / highlight >}}
If on Ubuntu 12.04 or 14.04 running:
{{< highlight bash >}}
sudo restart network-manager
{{< / highlight >}}
afterwards.
Now, dnsmasq can be be installed and configured:
{{< highlight bash >}}
sudo apt-get install dnsmasq
{{< / highlight >}}
Replace **/etc/dnsmasq.conf** with the following configuration:
{{< highlight none >}}
# Listen for DNS requests on the internal network
interface=eth1
bind-interfaces
# Act as a DHCP server, assign IP addresses to clients
dhcp-range=192.168.3.10,192.168.3.100,96h
# Broadcast gateway and dns server information
dhcp-option=option:router,192.168.3.1
dhcp-option=option:dns-server,192.168.3.1
{{< / highlight >}}
Apply changes:
If on Ubuntu 16.04 or newer:
{{< highlight bash >}}
sudo systemctl restart dnsmasq
{{< / highlight >}}
If on Ubuntu 12.04 or 14.04:
{{< highlight bash >}}
sudo service dnsmasq restart
{{< / highlight >}}
Your **proxied machine** in the internal virtual network should now receive an
IP address via DHCP:
{{< figure src="/transparent-vms/step2_proxied_vm.png" >}}
## 3. Redirect traffic to mitmproxy
To redirect traffic to mitmproxy, we need to enable IP forwarding and add two iptables
rules:
{{< highlight bash >}}
sudo sysctl -w net.ipv4.ip_forward=1
sudo iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j REDIRECT --to-port 8080
sudo iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 443 -j REDIRECT --to-port 8080
{{< / highlight >}}
## 4. Run mitmproxy
Finally, we can run mitmproxy in transparent mode with
{{< highlight bash >}}
mitmproxy --mode transparent
{{< / highlight >}}
The proxied machine cannot to leak any data outside of HTTP or DNS requests. If
required, you can now [install the mitmproxy certificates on the proxied
machine]({{< relref "concepts-certificates" >}}).
|
