本文介绍了无法在Mac OS X上为透明代理设置端口转发的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!

问题描述

我正在尝试在Mac OS X Lion(10.7.5)上设置透明代理,因此我可以使用mitmproxy(拦截来自Android应用程序的SSL通信).我按照 mitmproxy docs中的步骤在Mac OS X上使用pf设置端口转发,所有步骤都进行了没有任何错误:

I'm trying to set up a transparent proxy on my Mac OS X Lion (10.7.5), so I can use mitmproxy (to intercept SSL traffic from android applications). I followed the steps in the mitmproxy docs for setting up port forwarding with pf on Mac OS X, and they all went without any errors:

$ sudo sysctl -w net.inet.ip.forwarding=1
Password:
net.inet.ip.forwarding: 0 -> 1

$ sudo pfctl -f pf.conf
No ALTQ support in kernel
ALTQ related functions disabled

$ sudo pfctl -e
No ALTQ support in kernel
ALTQ related functions disabled
pf enabled

但是它似乎没有任何作用.当我在浏览器中访问网站时,它会直接发出请求,并且不会通过我指定的端口.这是pf.conf文件(en1是我的wifi):

But it doesn't seem to have had any effect. When I go to websites in my browser, it makes a direct request, and doesn't go through the port I specified. Here is the pf.conf file (en1 is my wifi):

rdr on en1 inet proto tcp to any port 80 -> 127.0.0.1 port 4500
rdr on en1 inet proto tcp to any port 443 -> 127.0.0.1 port 4500

推荐答案

感谢您今天通过IRC频道停止收听.我已经对此进行了跟踪,基本的问题是rdr规则适用于入站流量.这意味着他们将不会重定向来自包装盒本身的流量.如果您考虑一下,这是不可避免的:我们无法区分非mitmproxy应用程序的出站连接和mitmproxy本身的出站连接.我们可以使用route-to将流量发送到lo0,然后将其重定向,但这会导致无限循环,在该循环中,mitmproxy自己的出站连接也被重定向回mitmproxy.

Thanks for stopping by the IRC channel today. I've tracked this down, and the basic issue is that the rdr rules apply to inbound traffic. This means that they will NOT redirect traffic coming from the box itself. If you think about it, this is inevitable: we can't distinguish between an outbound connection from a non-mitmproxy app, and an outbound connection from mitmproxy itself. We can use route-to to send the traffic to lo0 and then redirect it, but that causes an infinite loop where mitmproxy's own outbound connections are also redirected back to mitmproxy.

由于我对您的用例有所了解,因此建议您探索使用VirtualBox进行此操作的方法.攻击的计划是将VirtualBox网络设置为桥接模式,然后使用与源地址匹配的pf规则将流量重定向到mitmproxy.这样就可以完成您想要的操作,并且不会由于无限重定向而导致时间和空间上的奇异之处.

Because I know a bit about your use case, I would suggest exploring ways to do this with VirtualBox. A plan of attack would be to set the VirtualBox network up in bridge mode, and then use a pf rule with a match on the source address to redirect traffic to mitmproxy. That should do what you want, and not cause singularities in time and space due to infinite redirection.

如果您需要进一步的帮助,请再次通过IRC频道.

Please drop by the IRC channel again if you need a further hand with this.

这篇关于无法在Mac OS X上为透明代理设置端口转发的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!

09-01 21:21