From fbfedbdc8f02bc36191d3fbf0f5cb7756331c89d Mon Sep 17 00:00:00 2001 From: smill Date: Sun, 4 Sep 2016 01:30:27 +0000 Subject: Improved error-handling / supplemented documention. --- docs/transparent.rst | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) (limited to 'docs') diff --git a/docs/transparent.rst b/docs/transparent.rst index eb77c76c..dc41f40f 100644 --- a/docs/transparent.rst +++ b/docs/transparent.rst @@ -1,5 +1,6 @@ .. _transparent: +==================== Transparent Proxying ==================== @@ -20,5 +21,20 @@ destination of the TCP connection. At the moment, mitmproxy supports transparent proxying on OSX Lion and above, and all current flavors of Linux. +Fully transparent mode +======= +By default mitmproxy will use its own local ip address for its server-side connections. +In case this isn't desired, the --spoof-source-address argument can be used to +use the client's ip address for server-side connections. + +This mode does require root privileges though. There's a wrapper in the examples directory +called 'mitmproxy_shim.c', which will enable you to use this mode with dropped priviliges. +It can be used as follows: + +gcc examples/mitmproxy_shim.c -o mitmproxy_shim -lcap +sudo chown root:root mitmproxy_shim +sudo chmod u+s mitmproxy_shim +./mitmproxy_shim $(which mitmproxy) -T --spoof-source-address + .. _iptables: http://www.netfilter.org/ .. _pf: https://en.wikipedia.org/wiki/PF_\(firewall\) -- cgit v1.2.3 From fad6ee6437f89c0b9e914e509b93e97471af9ed6 Mon Sep 17 00:00:00 2001 From: smill Date: Mon, 5 Sep 2016 14:19:08 +0000 Subject: Improved the documentation. --- docs/transparent.rst | 22 +++++++++++++++++----- 1 file changed, 17 insertions(+), 5 deletions(-) (limited to 'docs') diff --git a/docs/transparent.rst b/docs/transparent.rst index dc41f40f..7860238e 100644 --- a/docs/transparent.rst +++ b/docs/transparent.rst @@ -25,16 +25,28 @@ Fully transparent mode ======= By default mitmproxy will use its own local ip address for its server-side connections. In case this isn't desired, the --spoof-source-address argument can be used to -use the client's ip address for server-side connections. +use the client's ip address for server-side connections. The following config is +required for this mode to work: + + CLIENT_NET=192.168.1.0/24 + TABLE_ID=100 + MARK=1 + + echo "$TABLE_ID mitmproxy" >> /etc/iproute2/rt_tables + iptables -t mangle -A PREROUTING -d $CLIENT_NET -j MARK --set-mark $MARK + iptables -t nat -A PREROUTING -p tcp -s $CLIENT_NET --match multiport --dports 80,443 -j REDIRECT --to-port 8080 + + ip rule add fwmark $MARK lookup $TABLE_ID + ip route add local $CLIENT_NET dev lo table $TABLE_ID This mode does require root privileges though. There's a wrapper in the examples directory called 'mitmproxy_shim.c', which will enable you to use this mode with dropped priviliges. It can be used as follows: -gcc examples/mitmproxy_shim.c -o mitmproxy_shim -lcap -sudo chown root:root mitmproxy_shim -sudo chmod u+s mitmproxy_shim -./mitmproxy_shim $(which mitmproxy) -T --spoof-source-address + gcc examples/mitmproxy_shim.c -o mitmproxy_shim -lcap + sudo chown root:root mitmproxy_shim + sudo chmod u+s mitmproxy_shim + ./mitmproxy_shim $(which mitmproxy) -T --spoof-source-address .. _iptables: http://www.netfilter.org/ .. _pf: https://en.wikipedia.org/wiki/PF_\(firewall\) -- cgit v1.2.3 From 2d4e4eafe1545e9ac79c04fcfc48f198e85900aa Mon Sep 17 00:00:00 2001 From: smill Date: Thu, 15 Sep 2016 18:54:55 +0000 Subject: Fixed restructuredText error. --- docs/transparent.rst | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 'docs') diff --git a/docs/transparent.rst b/docs/transparent.rst index 7860238e..71b48595 100644 --- a/docs/transparent.rst +++ b/docs/transparent.rst @@ -22,7 +22,8 @@ At the moment, mitmproxy supports transparent proxying on OSX Lion and above, and all current flavors of Linux. Fully transparent mode -======= +====================== + By default mitmproxy will use its own local ip address for its server-side connections. In case this isn't desired, the --spoof-source-address argument can be used to use the client's ip address for server-side connections. The following config is -- cgit v1.2.3