1

My goal is to transparently proxy all HTTP requests from a single IP (my laptop, 192.168.1.134) on my LAN to an external IP (internet VPS, lets say X.X.X.X) running a proxy server (specifically mitmproxy running in transparent mode), listening on port 80.

My home LAN is powered by an ASUS RT-N66U router running the Asuswrt-Merlin firmware. The router has ip 192.168.1.1 and is the default gateway of every device on my network. To forward the traffic, I've ssh'd to my router and ran the following iptables commands:

iptables -t nat -A PREROUTING -s 192.168.1.134 -p tcp --dport 80 -j DNAT --to X.X.X.X:80
iptables -t nat -A POSTROUTING -j MASQUERADE

Additionally, IP forwarding is enabled on my router:

admin@RT-N66U:/tmp/home/root# cat /proc/sys/net/ipv4/ip_forward
1

This results in something, but it's not what I'm expecting. From 192.168.1.134 (my laptop), when I do a simple http request (e.g. curl http://example.com), I can see in my proxy's event log that mitmproxy reports a client has connected (using the NAT'd public IP of my router, issued by my ISP), however that's about as far as it gets. It never goes any further than that and my curl command just waits. Eventually I see "Connection reset by peer" on in my proxy's log and the connection is closed.

Any help would be suggested. I must admit, I'm not very proficient with iptables.

ccampo
  • 61
  • 3
  • Probably because mitmproxy in transparent mode is expected to run on the router, so it receives specific information from iptables (see http://docs.mitmproxy.org/en/latest/transparent/linux.html). This won't work if the redirection happens before: destination is lost. OR you just have to "do things" with mitmproxy (edit, accept ...) – A.B Oct 14 '17 at 22:07
  • @A.B I should note that I successfully got this to work when the proxy box is on the LAN, e.g. a Raspberry PI. It has something to do with the proxy box being on the WAN. – ccampo Oct 16 '17 at 16:06
  • I stand to what I said. http://docs.mitmproxy.org/en/latest/howmitmproxy.html#transparent-http quoting: "The first is a redirection mechanism that transparently reroutes a TCP connection destined for a server on the Internet to a listening proxy server. This usually takes the form of a **firewall on the same host as the proxy server** - iptables on Linux" and " The routing mechanism that has performed the redirection **keeps track of the original destination for us**". This information was lost. You can get it to work with a tunnel between your gw and mitmproxy and redirect only on the proxy. – A.B Oct 16 '17 at 17:42
  • By the way, the modern method is to use TPROXY, REDIRECT stays acceptable (that's what is expecting mitmproxy so no other choice) and DNAT can't work at all: the original destination is lost outside of the fw/router. – A.B Oct 16 '17 at 17:53
  • @A.B not sure if you're following what I'm saying but I got transparent mode to work when the proxy was on another box besides the router, just within the lan. See the example: https://gist.github.com/ccampo133/755b45e966dc736f71137e049ed5f0c8 Forget mitmproxy, forget transparent mode even... forget all the mitm specific details. Lets talk reverse proxy. It can be nginx. The point is it still doesn't work if the proxy is on the WAN rather than the LAN, and I want to know if it's possible to get it working. – ccampo Oct 17 '17 at 22:17
  • `ip route add default via 192.168.1.139 dev br0 table 2` doesn't lose the destination IP. `iptables -t nat -A PREROUTING -s 192.168.1.134 -p tcp --dport 80 -j DNAT --to X.X.X.X:80` does. Both redirect to the proxy. The first keeps the original destination IP and the proxy knows where to continue its work, the second doesn't, the proxy has no clue what to do next. The best it can do for HTTP is to resolve the Host header: slow and unreliable for mitm. So ok you can have the redirection done elsewhere, but the proxy has to be the router's nexthop. With a tunnel to the proxy it's still possible. – A.B Oct 17 '17 at 23:06
  • I don't know for nginx, but I think squid in accel mode will work for HTTP with your current setting (by resolving the Host header). – A.B Oct 17 '17 at 23:28
  • so do you concur? – A.B Oct 19 '17 at 20:23

0 Answers0