{"id":394,"date":"2015-09-11T15:11:59","date_gmt":"2015-09-11T14:11:59","guid":{"rendered":"http:\/\/www.nax.cz\/?p=394"},"modified":"2015-09-11T15:11:59","modified_gmt":"2015-09-11T14:11:59","slug":"transparent-proxy-running-on-localhost","status":"publish","type":"post","link":"https:\/\/nax.cz\/?p=394","title":{"rendered":"transparent proxy running on localhost"},"content":{"rendered":"<p>It is surprisingly hard to setup a transparent proxy running on localhost using iptables! <\/p>\n<p>Lets suppose you have a linux box with 2 interfaces, one connected to local network and one to the internet.<\/p>\n<p>You run the proxy (for instance great <a href=\"http:\/\/mitmproxy.org\/\" title=\"mitmproxy\" target=\"_blank\" rel=\"noopener\">mitmproxy<\/a>) like this:<\/p>\n<p><code>mitmproxy -b 127.0.0.1 -p 3128<\/code><\/p>\n<p>Then setup redirection using iptables for all passing traffic on port 80:<\/p>\n<p><code><br \/>\niptables -t nat -F<br \/>\niptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to 127.0.0.1:3128<br \/>\niptables -t nat -A POSTROUTING -j MASQUERADE -o eth1<br \/>\nsysctl -w net.ipv4.conf.all.route_localnet=1<br \/>\necho 1 > \/proc\/sys\/net\/ipv4\/ip_forward<br \/>\n<\/code><\/p>\n<p>And it doesn&#8217;t work! Why?<\/p>\n<p>Because of security. As you can find out for instance <a href=\"http:\/\/unix.stackexchange.com\/questions\/152589\/is-it-possible-to-prevent-eth0-network-traffic-from-accessing-eth1-network\" title=\"here\" target=\"_blank\" rel=\"noopener\">here<\/a>.<\/p>\n<p><code>sysctl -w net.ipv4.conf.all.route_localnet=1<\/code><\/p>\n<p>You can replace all to some specific ethernet interface (like eth0).<\/p>\n","protected":false},"excerpt":{"rendered":"<p>It is surprisingly hard to setup a transparent proxy running on localhost using iptables! Lets suppose you have a linux box with 2 interfaces, one connected to local network and one to the internet. You run the proxy (for instance great mitmproxy) like this: mitmproxy -b 127.0.0.1 -p 3128 Then setup redirection using iptables for [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-394","post","type-post","status-publish","format-standard","hentry","category-uncategorized"],"_links":{"self":[{"href":"https:\/\/nax.cz\/index.php?rest_route=\/wp\/v2\/posts\/394","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/nax.cz\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/nax.cz\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/nax.cz\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/nax.cz\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=394"}],"version-history":[{"count":0,"href":"https:\/\/nax.cz\/index.php?rest_route=\/wp\/v2\/posts\/394\/revisions"}],"wp:attachment":[{"href":"https:\/\/nax.cz\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=394"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/nax.cz\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=394"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/nax.cz\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=394"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}