1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
|
.. _transparent-dhcp:
Transparently proxify virtual machines
======================================
This walkthrough illustrates how to set up transparent proxying with mitmproxy.
We use VirtualBox VMs with an Ubuntu proxy machine in this example,
but the general *Internet <--> Proxy VM <--> (Virtual) Internal Network* setup can be applied to
other setups.
1. Configure Proxy VM
---------------------
On the proxy machine, **eth0** is connected to the internet. **eth1** is connected to the internal
network that will be proxified and configured to use a static ip (192.168.3.1).
VirtualBox configuration
^^^^^^^^^^^^^^^^^^^^^^^^
.. image:: transparent-dhcp/step1_vbox_eth0.png
.. image:: transparent-dhcp/step1_vbox_eth1.png
VM Network Configuration
^^^^^^^^^^^^^^^^^^^^^^^^
.. image:: transparent-dhcp/step1_proxy.png
:align: center
2. Configure DHCP and DNS
-------------------------
We use dnsmasq to provide DHCP and DNS in our internal network.
Dnsmasq is a lightweight server designed to provide DNS (and optionally
DHCP and TFTP) services to a small-scale network.
- Before we get to that, we need to fix some Ubuntu quirks:
**Ubuntu >12.04** runs an internal dnsmasq instance (listening on loopback only) by default
`[1] <https://www.stgraber.org/2012/02/24/dns-in-ubuntu-12-04/>`_. For our use case, this needs
to be disabled by changing ``dns=dnsmasq`` to ``#dns=dnsmasq`` in
**/etc/NetworkManager/NetworkManager.conf** and running
>>> sudo restart network-manager
afterwards.
- Now, dnsmasq can be be installed and configured:
>>> sudo apt-get install dnsmasq
Replace **/etc/dnsmasq.conf** with the following configuration:
.. code-block:: none
# Listen for DNS requests on the internal network
interface=eth1
# Act as a DHCP server, assign IP addresses to clients
dhcp-range=192.168.3.10,192.168.3.100,96h
# Broadcast gateway and dns server information
dhcp-option=option:router,192.168.3.1
dhcp-option=option:dns-server,192.168.3.1
Apply changes:
>>> sudo service dnsmasq restart
Your **proxied machine** in the internal virtual network should now receive an IP address via DHCP:
.. image:: transparent-dhcp/step2_proxied_vm.png
3. Redirect traffic to mitmproxy
------------------------------------------
To redirect traffic to mitmproxy, we need to add two iptables rules:
.. code-block:: none
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j REDIRECT --to-port 8080
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 443 -j REDIRECT --to-port 8080
4. Run mitmproxy
----------------
Finally, we can run mitmproxy in transparent mode with
>>> mitmproxy -T
The proxied machine cannot to leak any data outside of HTTP or DNS requests.
If required, you can now :ref:`install the mitmproxy certificates on the proxied machine
<certinstall>`.
|
