diff options
Diffstat (limited to 'docs/transparent')
| -rw-r--r-- | docs/transparent/linux.rst | 49 | ||||
| -rw-r--r-- | docs/transparent/openbsd.rst | 53 | ||||
| -rw-r--r-- | docs/transparent/osx.rst | 69 |
3 files changed, 0 insertions, 171 deletions
diff --git a/docs/transparent/linux.rst b/docs/transparent/linux.rst deleted file mode 100644 index 14f6a165..00000000 --- a/docs/transparent/linux.rst +++ /dev/null @@ -1,49 +0,0 @@ -.. _linux: - -Linux -===== - -On Linux, mitmproxy integrates with the iptables redirection mechanism to -achieve transparent mode. - - 1. :ref:`Install the mitmproxy certificate on the test device <certinstall>` - - 2. Enable IP forwarding: - - >>> sysctl -w net.ipv4.ip_forward=1 - >>> sysctl -w net.ipv6.conf.all.forwarding=1 - - You may also want to consider enabling this permanently in ``/etc/sysctl.conf`` or newly created ``/etc/sysctl.d/mitmproxy.conf``, see `here <https://superuser.com/a/625852>`__. - - 3. If your target machine is on the same physical network and you configured it to use a custom - gateway, disable ICMP redirects: - - >>> sysctl -w net.ipv4.conf.all.send_redirects=0 - - You may also want to consider enabling this permanently in ``/etc/sysctl.conf`` or a newly created ``/etc/sysctl.d/mitmproxy.conf``, see `here <https://superuser.com/a/625852>`__. - - 4. Create an iptables ruleset that redirects the desired traffic to the - mitmproxy port. Details will differ according to your setup, but the - ruleset should look something like this: - - .. code-block:: none - - iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 8080 - iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 443 -j REDIRECT --to-port 8080 - ip6tables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 8080 - ip6tables -t nat -A PREROUTING -i eth0 -p tcp --dport 443 -j REDIRECT --to-port 8080 - - You may also want to consider enabling this permanently with the ``iptables-persistent`` package, see `here <http://www.microhowto.info/howto/make_the_configuration_of_iptables_persistent_on_debian.html>`__. - - 5. Fire up mitmproxy. You probably want a command like this: - - >>> mitmproxy -T --host - - The ``-T`` flag turns on transparent mode, and the ``--host`` - argument tells mitmproxy to use the value of the Host header for URL display. - - 6. Finally, configure your test device to use the host on which mitmproxy is - running as the default gateway. - - -For a detailed walkthrough, have a look at the :ref:`transparent-dhcp` tutorial. diff --git a/docs/transparent/openbsd.rst b/docs/transparent/openbsd.rst deleted file mode 100644 index 3d315f7c..00000000 --- a/docs/transparent/openbsd.rst +++ /dev/null @@ -1,53 +0,0 @@ -.. _openbsd: - -OpenBSD -======= - - 1. :ref:`Install the mitmproxy certificate on the test device <certinstall>` - - 2. Enable IP forwarding: - - >>> sudo sysctl -w net.inet.ip.forwarding=1 - - 3. Place the following two lines in **/etc/pf.conf**: - - .. code-block:: none - - mitm_if = "re2" - pass in quick proto tcp from $mitm_if to port { 80, 443 } divert-to 127.0.0.1 port 8080 - - These rules tell pf to divert all traffic from ``$mitm_if`` destined for - port 80 or 443 to the local mitmproxy instance running on port 8080. You - should replace ``$mitm_if`` value with the interface on which your test - device will appear. - - 4. Configure pf with the rules: - - >>> doas pfctl -f /etc/pf.conf - - 5. And now enable it: - - >>> doas pfctl -e - - 6. Fire up mitmproxy. You probably want a command like this: - - >>> mitmproxy -T --host - - The ``-T`` flag turns on transparent mode, and the ``--host`` - argument tells mitmproxy to use the value of the Host header for URL display. - - 7. Finally, configure your test device to use the host on which mitmproxy is - running as the default gateway. - -.. note:: - - Note that the **divert-to** rules in the pf.conf given above only apply to - inbound traffic. **This means that they will NOT redirect traffic coming - from the box running pf itself.** We can't distinguish between an outbound - connection from a non-mitmproxy app, and an outbound connection from - mitmproxy itself - if you want to intercept your traffic, you should use an - external host to run mitmproxy. Nonetheless, pf is flexible to cater for a - range of creative possibilities, like intercepting traffic emanating from - VMs. See the **pf.conf** man page for more. - -.. _pf: http://man.openbsd.org/OpenBSD-current/man5/pf.conf.5 diff --git a/docs/transparent/osx.rst b/docs/transparent/osx.rst deleted file mode 100644 index 5d4ec612..00000000 --- a/docs/transparent/osx.rst +++ /dev/null @@ -1,69 +0,0 @@ -.. _osx: - -OSX -=== - -OSX Lion integrated the pf_ packet filter from the OpenBSD project, -which mitmproxy uses to implement transparent mode on OSX. -Note that this means we don't support transparent mode for earlier versions of OSX. - - 1. :ref:`Install the mitmproxy certificate on the test device <certinstall>` - - 2. Enable IP forwarding: - - >>> sudo sysctl -w net.inet.ip.forwarding=1 - - 3. Place the following two lines in a file called, say, **pf.conf**: - - .. code-block:: none - - rdr on en0 inet proto tcp to any port {80, 443} -> 127.0.0.1 port 8080 - - These rules tell pf to redirect all traffic destined for port 80 or 443 - to the local mitmproxy instance running on port 8080. You should - replace ``en2`` with the interface on which your test device will appear. - - 4. Configure pf with the rules: - - >>> sudo pfctl -f pf.conf - - 5. And now enable it: - - >>> sudo pfctl -e - - 6. Configure sudoers to allow mitmproxy to access pfctl. Edit the file - **/etc/sudoers** on your system as root. Add the following line to the end - of the file: - - .. code-block:: none - - ALL ALL=NOPASSWD: /sbin/pfctl -s state - - Note that this allows any user on the system to run the command - ``/sbin/pfctl -s state`` as root without a password. This only allows - inspection of the state table, so should not be an undue security risk. If - you're special feel free to tighten the restriction up to the user running - mitmproxy. - - 7. Fire up mitmproxy. You probably want a command like this: - - >>> mitmproxy -T --host - - The ``-T`` flag turns on transparent mode, and the ``--host`` - argument tells mitmproxy to use the value of the Host header for URL display. - - 8. Finally, configure your test device to use the host on which mitmproxy is - running as the default gateway. - -.. note:: - - Note that the **rdr** rules in the pf.conf given above only apply to inbound - traffic. **This means that they will NOT redirect traffic coming from the box - running pf itself.** We can't distinguish between an outbound connection from a - non-mitmproxy app, and an outbound connection from mitmproxy itself - if you - want to intercept your OSX traffic, you should use an external host to run - mitmproxy. Nonetheless, pf is flexible to cater for a range of creative - possibilities, like intercepting traffic emanating from VMs. See the - **pf.conf** man page for more. - -.. _pf: https://en.wikipedia.org/wiki/PF_\(firewall\) |