0
I want to route all packets heading for ports 80
and 443
to the privoxy running on my machine on its default port 8118
.
These are the interfaces on Kali rolling host
$ ifconfig
anbox0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.250.1 netmask 255.255.255.0 broadcast 0.0.0.0
inet6 fe80::fcdb:53ff:fec0:b36d prefixlen 64 scopeid 0x20<link>
ether fe:db:53:c0:b3:6d txqueuelen 1000 (Ethernet)
RX packets 646 bytes 112814 (110.1 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 600 bytes 169509 (165.5 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 1000 (Local Loopback)
RX packets 5922 bytes 2008201 (1.9 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 5922 bytes 2008201 (1.9 MiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
vethYJLBI5: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet6 fe80::fcdb:53ff:fec0:b36d prefixlen 64 scopeid 0x20<link>
ether fe:db:53:c0:b3:6d txqueuelen 1000 (Ethernet)
RX packets 646 bytes 121858 (119.0 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 594 bytes 168453 (164.5 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
wlan0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.1.33 netmask 255.255.255.0 broadcast 192.168.1.255
inet6 fe80::72ab:1008:cd82:a1d7 prefixlen 64 scopeid 0x20<link>
ether 4c:34:88:82:3c:69 txqueuelen 1000 (Ethernet)
RX packets 22127 bytes 13917224 (13.2 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 21269 bytes 3952700 (3.7 MiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions
These are Anbox LXC container interfaces:
x86_64:/ $ ifconfig
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope: Host
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:8 errors:0 dropped:0 overruns:0 frame:0
TX packets:8 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:604 TX bytes:604
eth0 Link encap:Ethernet HWaddr 9e:df:8e:10:d0:a7
inet addr:192.168.250.2 Bcast:192.168.250.255 Mask:255.255.255.0
inet6 addr: fe80::9cdf:8eff:fe10:d0a7/64 Scope: Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:616 errors:0 dropped:0 overruns:0 frame:0
TX packets:674 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:170907 TX bytes:123976
x86_64:/ $
This is what i have done:
Anbox Port forwarding
su
sysctl -w net.ipv4.ip_forward=1
iptables -t nat -A OUTPUT -p tcp --dport 80 -j DNAT --to-destination 192.168.250.1:8118
iptables -t nat -A OUTPUT -p tcp --dport 443 -j DNAT --to-destination 192.168.250.1:8118
iptables -t nat -A POSTROUTING -p tcp --dport 80 -j MASQUERADE
iptables -t nat -A POSTROUTING -p tcp --dport 443 -j MASQUERADE
Anbox iptables result
# iptables -t nat -L
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
DNAT tcp -- anywhere anywhere tcp dpt:http to:192.168.250.1:8118
DNAT tcp -- anywhere anywhere tcp dpt:http to:192.168.250.1:8118
DNAT tcp -- anywhere anywhere tcp dpt:https to:192.168.250.1:8118
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
MASQUERADE tcp -- anywhere anywhere tcp dpt:http
MASQUERADE tcp -- anywhere anywhere tcp dpt:https
Kali Linux Host
sudo sysctl -w net.ipv4.conf.all.route_localnet=1
sudo iptables \
-t nat \
-A PREROUTING \
-i anbox0 \
-s 192.168.250.2 \
-d 192.168.250.1 \
-p tcp \
-j DNAT \
--dport 8118 \
--to-destination 127.0.0.1:8118
Kali Linux host iptables result
$ sudo iptables -t nat -L
[sudo] password for devilfromir:
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
DNAT tcp -- 192.168.250.2 lonelySoul tcp dpt:8118 to:127.0.0.1:8118
DNAT tcp -- 192.168.250.2 lonelySoul tcp dpt:8118 to:127.0.0.1:8118
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
MASQUERADE all -- 192.168.250.0/24 !192.168.250.0/24 /* managed by anbox-bridge */
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
# Warning: iptables-legacy tables present, use iptables-legacy to see them
Problem
I can see packets comming to localhost throgh anbox0
interface using tcpdump
sudo tcpdump -i anbox0 -A tcp port 8118 -vv
but can't see packets to go through privoxy running on 127.0.0.1:8118
sudo tcpdump -i lo -A tcp port 8118 -vv