I have a MacOS X (Lion) with VMWare Fusion installed. In Fusion I have two guests: a Linux and a MS Windows XP. The two guests networking is configured to use NAT thru vmnet8 interface. Both boxes access to the internet just fine by default.
My objective is to force all HTTP (tcp/80) traffic leaving the XP client to be redirected to the Linux client on the proxy port (tcp/8080). The XP client must not be aware of the redirection thus explicit proxy configuration in the XP browser is not an option.
I already tried this setup on a linux host running virtualbox. The iptables nat rules did the trick just fine. But I'm completely lost on how to do this in Mac which is pf based.
I've been attempting to configure a complementary pf.conf (proxy.conf) file with just one line:
rdr on vmnet8 proto tcp from 192.168.190.138 to any port 80 -> 192.168.190.134 port 8080
Concerning the IP: 192.168.190.138 is the XP guest ip and 192.168.190.134 is the linux guest.
I then run the following pfctl commands:
$sudo pfctl -vf ~/proxy.conf
No ALTQ support in kernel
ALTQ related functions disabled
rdr on vmnet8 inet proto tcp from 192.168.190.138 to any port = 80 -> 192.168.190.134 port 8080
and then:
$ sudo pfctl -e
No ALTQ support in kernel
ALTQ related functions disabled
pfctl: pf already enabled
When I attempt to open a webpage on the XP guest pf doesn't redirect the traffic to the linux box. For some reason the pf rule isn't working as expected. Probably because something is missing...
Related
I need to ping and establish communication with an embedded device through its hostname. I'm using the latest buildroot and I enabled avahi and mDNS.
The first problem is that my hostname at startup is always buildroot and the problem is how change my hostname through avahi library and apply immediately on the network.
Can someone help me to configure my device?
I am currently running a docker machine in local network that its IP & port is 192.168.99.100:8080
right now. I want to connect this machine from somewhere out of the local network and access it, so the best way I found is to NAT the sent request from my laptop computer to docker machine.
In other words, each request that has been sent to my laptop computer will be sent to the docker machine on its own IP and port!
I use pfctl to do this but when I check the port 8585 to find out which service is listening to this port, I can't find anything and it sounds like the requests do not arrive(get to) the destination!
I did as below:
1- csrutil disable
2- my pf role :
/etc/pf.anchors/mazafard:
rdr pass on en0 inet proto tcp from any to 192.168.20.203 port 8585 -> 192.168.99.100 port 8080
3- my pf conf
/etc/pf-mazafard.conf
rdr-anchor "forwarding"
load anchor "forwarding" from "/etc/pf.anchors/mazafard"
and
sudo pfctl -vnf /etc/pf.anchors/mazafard
pfctl: Use of -f option, could result in flushing of rules
present in the main ruleset added by the system at startup.
See /etc/pf.conf for further details.
rdr pass on en0 inet proto tcp from any to 192.168.20.203 port = 8585 -> 192.168.99.100 port 8080
and
sudo pfctl -evf /etc/pf.anchors/mazafard
fctl: Use of -f option, could result in flushing of rules
present in the main ruleset added by the system at startup.
See /etc/pf.conf for further details.
No ALTQ support in kernel
ALTQ related functions disabled
rdr pass on en0 inet proto tcp from any to 192.168.20.203 port = 8585 -> 192.168.99.100 port 8080
pfctl: pf already enabled
and
telnet 192.168.20.203 8585
Trying 192.168.20.203...
telnet: connect to address 192.168.20.203: Operation timed out
telnet: Unable to connect to remote host
My OSX v: 10.11.4
Docker version 1.9.1, build a34a1d5
Boot2Docker version 1.11.0-rc3, build
I have a Ubuntu host and an Ubuntu guest. I want to achieve that my host traffic is tunnelled through my guest. Thus enabling me to do analysis on the host traffic from the guest. I am assigning two interfaces to the guest (in addition to the built in NAT interface which is provided by Vagrant). I am creating a bridge interface on the host called br0. One of the guest interfaces is connected via bridging to eth0 (the host interface which is connected to the Internet) and the other guest interface is connected via bridging to the host br0 interface. On the host I am deleting my default gateway and adding a new one with:
route del default
route add default dev br0
After that I can vagrant ssh into my guest and set up a bridge interface there as well with.
brctl addbr br0
brctl addif br0 eth1
brctl addif br0 eth2
After this setup the host traffic should be routed through the guest. If I run
tcpdump -vni br0
inside the guest I can see packets but I can't connect to the Internet. There is something missing. Any ideas?
I had to enable IPv4 forwarding in the guest.
Edit /etc/sysctl.conf to enable forwarding permanently:
net.ipv4.ip_forward = 1
Run this to activate the setting without a reboot:
sysctl -p /etc/sysctl.conf
Overview:
Host: Mac OS X running boot2docker and Docker
Guest: Windows 7
The Problem:
For my web-development I have set up a docker container via boot2docker on OS X. Within OS X I can access my docker services via boot2docker.
Running boot2docker ip, I get:
The VM's Host only interface IP address is: 192.168.59.103
I am running a Django application on port 1234 (I have mapped the port 5000 on the docker image to port 1234 on my Mac) which I can access within OS X in an web-browser via the address 192.168.59.103:1234. Everything works fine in OS X.
Now I have to test the Web stuff on IE which is why I have downloaded IE8, IE10 and so forth via Microsofts modern.IE website. As a result I have some more VirtualBox images, which are running Windows 7 and come with the propriate IE version.
The question is now how to access the Docker container in those Windows instances to test it under several IE versions.
What I have done so far:
Idea 1
To access the Django application I have looked up my local IP address and tried to access it via NAT in the Windows guests. Given my local IP adress 192.168.178.24, I have tried to access 192.168.178.24:1234 from Windows. Although I can ping 192.168.178.24 from Windows, I do get only a timeout on the port 1234.
Idea 2
Boot2docker runs a VirtualBox machine called boot2docker-vm. It comes with two network adapters, NAT and a host-only adapter called vboxnet0. The latter has the address 192.168.59.3 (which is the one which boot2docker ip returns) with the network mask 255.255.255.0. It runs a DHCP-Server on Server Adress 192.168.59.99 which gives addresses from 192.168.59.103-254.
I have added a second network adapter for my Windows guest systems which can also access via a host-only adapter the network vboxnet0. When being connected to the network the Windows machines do get a valid IP and can ping the IP 192.168.59.103. But I cannot connect to my Django instance on port 1234. If I try to call 192.168.59.103:1234 within Windows, I get a timeout.
Why is it not possible to connect to the Django instance? Can you help me? Thanks in advance.
I have found a solution to my problem here.
To get access to the Django instance I had to open the port on the boot2docker-vm machine.
This can be done by either by boot2docker-vm → settings → Network → Adapter 1 (NAT) → Port Forwarding and add a new rule where Host IPand Guest IP can be left empty and Host Port and Guest Port should be set to 1234.
Another way to do so is executing the following command in the command line
VBoxManage modifyvm "boot2docker-vm" --natpf1 "tcp-port1234,tcp,,1234,,1234";
Of course this needs to be done for all ports, if more than one port is being used.
I'm trying to set up a transparent proxy on my Mac OS X Lion (10.7.5), so I can use mitmproxy (to intercept SSL traffic from android applications). I followed the steps in the mitmproxy docs for setting up port forwarding with pf on Mac OS X, and they all went without any errors:
$ sudo sysctl -w net.inet.ip.forwarding=1
Password:
net.inet.ip.forwarding: 0 -> 1
$ sudo pfctl -f pf.conf
No ALTQ support in kernel
ALTQ related functions disabled
$ sudo pfctl -e
No ALTQ support in kernel
ALTQ related functions disabled
pf enabled
But it doesn't seem to have had any effect. When I go to websites in my browser, it makes a direct request, and doesn't go through the port I specified. Here is the pf.conf file (en1 is my wifi):
rdr on en1 inet proto tcp to any port 80 -> 127.0.0.1 port 4500
rdr on en1 inet proto tcp to any port 443 -> 127.0.0.1 port 4500
Thanks for stopping by the IRC channel today. I've tracked this down, and the basic issue is that the rdr rules apply to inbound traffic. This means that they will NOT redirect traffic coming from the box itself. If you think about it, this is inevitable: we can't distinguish between an outbound connection from a non-mitmproxy app, and an outbound connection from mitmproxy itself. We can use route-to to send the traffic to lo0 and then redirect it, but that causes an infinite loop where mitmproxy's own outbound connections are also redirected back to mitmproxy.
Because I know a bit about your use case, I would suggest exploring ways to do this with VirtualBox. A plan of attack would be to set the VirtualBox network up in bridge mode, and then use a pf rule with a match on the source address to redirect traffic to mitmproxy. That should do what you want, and not cause singularities in time and space due to infinite redirection.
Please drop by the IRC channel again if you need a further hand with this.
Did you try net.inet.ip.scopedroute=0? From http://lucumr.pocoo.org/2013/1/6/osx-wifi-proxy/:
Now currently if you finish that above setup you will notice that
nothing actually works. The cause for this is a Bug in the OS X kernel
that requires flipping the net.inet.ip.scopedroute flag to 0. I am not
entirely sure what it does, but the internet reports that it breaks
network sharing through the user preferences. In any case it fixes
ipfw based forwarding so you can flip it with sysctl:
$ sudo sysctl -w net.inet.ip.scopedroute=0
Unfortunately in OS X Lion this flag can actually not be flipped from
userspace so you need to set it as boot parameter and then restart
your computer. You can do this by editing the
/Library/Preferences/SystemConfiguration/com.apple.Boot.plist file
(continued...)
You are using the port 4500 instead the default port 8080.
Do you start mitmproxy with the port specification?: mitmproxy -T --host -p 4500
Did you follow the steps to set the certificate in the Android device? http://mitmproxy.org/doc/certinstall/android.html
Another problem could be the gateway on your android phone: Preferences - Wifi - Hold on the network you are using - Edit network - Advanced options - Set as gateway the ip of your machine with mitmproxy.
By the way I have the same warning with No ALTQ function but it works.