21

By default, mitmproxy will use its own local IP address for its server-side connections. What I want instead is mitmproxy to use the client’s IP address for server-side connections.

The following config is supplied to make this work:

CLIENT_NET=192.168.1.0/24
TABLE_ID=100
MARK=1

echo "$TABLE_ID     mitmproxy" >> /etc/iproute2/rt_tables
iptables -t mangle -A PREROUTING -d $CLIENT_NET -j MARK --set-mark $MARK
iptables -t nat \
    -A PREROUTING -p tcp -s $CLIENT_NET \
    --match multiport --dports 80,443 -j \
    REDIRECT --to-port 8080

ip rule add fwmark $MARK lookup $TABLE_ID
ip route add local $CLIENT_NET dev lo table $TABLE_ID

Mitmproxy is listening on the router (192.168.178.40) on port: 8080

However, my setup consists of a custom Debian router with 2 NICs.

  • One internet-facing wlp2s0 (also used to SSH into it) with address: 192.168.178.40
  • One NIC set as default gateway enp4s0 for the target client at: 10.0.0.1

The client connects to the default gateway with the address 10.0.0.12

By default I use the following IP table rules to redirect my client traffic to port 8080:

sudo iptables -t nat -A PREROUTING -i enp4s0 -p tcp --dport 80 -j REDIRECT --to-port 8080
sudo iptables -t nat -A PREROUTING -i enp4s0 -p tcp --dport 443 -j REDIRECT --to-port 8008

While this works as intended, I'd like to be able to spoof the client source address so that the HTTP(S) requests captured match the TCP packets and other traffic also coming from the client.

Here's a picture to visualize my setup because I am pretty horrible at explaining:

Transparent proxy setup.

R1W
  • 1,617
  • 3
  • 15
  • 30
Ghxst
  • 311
  • 1
  • 3
  • Since request comes from mitmproxy host - it will have this host IP, with an exception to have some information regarding original in the headers. – bluszcz Mar 07 '18 at 09:59
  • @bluszcz The idea is that mitmproxy can spoof the source address using --spoof-source-address. However, needed first is the above config, but I don't know how to adjust this to my 2 NIC setup. read more here: https://mitmproxy.org/docs/latest/howto-transparent/ – Ghxst Mar 07 '18 at 10:04
  • Right, did you follow all the docs from https://mitmproxy.org/docs/latest/howto-transparent/#linux-fully-transparent-mode ? Using root accounts and others? ```./mitmproxy_shim $(which mitmproxy) -T --spoof-source-address``` – bluszcz Mar 07 '18 at 10:12
  • @bluszcz I see now what the `mitmproxy_shim` is for. However, I am still not sure if there needs to be anything changed in the iptables config in order for me to spoof the correct client source (`10.0.0.x` instead of `192.168.178.x`) – Ghxst Mar 07 '18 at 10:27
  • What isn't clear to me is if this is actually an internet-facing router; i.e. is it performing NAT/why do you need to spoof the client's address? If there is NAT, the client's IP address as seen by websites will be the same as the router's IP address anyway. – multithr3at3d Dec 09 '19 at 00:06

2 Answers2

1

By default mitmproxy will use its own local IP address for its server-side connections. What I want instead is mitmproxy to use the client’s IP address for server-side connections.

On most setup (Attacked host / Attacker host on the same LAN, both behind an internet router, destination site on Internet), your problem is not one, basically because internet host will always see your internet router public address.

The only setup where it's a problem is if the destination site is on the same LAN. In this case, as already said by @antonio-zunic, the only way to achieve this is by doing ARP-spoofing.

binarym
  • 744
  • 4
  • 8
-5

You cannot use Client's ip...proxy is intermediary device/software to whom client ask for data. Client asks for proxy to contact server, proxy contacts server. If you want to bypass client configuration for proxy you have to apply arpspoof command (arpspoof -i -t -r , using these you don't have to route your traffic to proxy via router.

Antonio Zunic
  • 9