I’m trying to forward outgoing traffic to a forward proxy called mitmproxy running on my machine. I’ve tried using the following two approaches (see below), one using ttl and one setting a mark. Unfortunately both of the approaches create a network loop. The mitmproxy docs recommend creating a separate user for mitmproxy and filtering traffic based on user but I’m looking for a way to do it without creating another user. Is there a better way to do this?
MARK approach
Here I redirect a packet if it’s not marked, then mark the packet so it’s not redirected again.
iptables -t nat -A OUTPUT -p tcp -m mark ! --mark 1 --dport 80 -j REDIRECT --to-port 8080
iptables -t nat -A OUTPUT -p tcp -m mark ! --mark 1 --dport 443 -j REDIRECT --to-port 8080
# set mark
iptables -t mangle -A POSTROUTING -p tcp -j CONNMARK --set-mark 1
delete mark rules with:
iptables -t nat -D OUTPUT -p tcp -m mark ! --mark 1 --dport 80 -j REDIRECT --to-port 8080
iptables -t nat -D OUTPUT -p tcp -m mark ! --mark 1 --dport 443 -j REDIRECT --to-port 8080
iptables -t mangle -D POSTROUTING -p tcp -j CONNMARK --set-mark 1
TTL approach
Here I redirect the packet to the proxy on 8080 if the TTL hasn’t been decreased.
iptables -t nat -A OUTPUT -p tcp -m ttl --ttl-gt $TTL_SIZE --dport 80 -j REDIRECT --to-port 8080
iptables -t nat -A OUTPUT -p tcp -m ttl --ttl-gt $TTL_SIZE --dport 443 -j REDIRECT --to-port 8080
delete ttl rules with:
iptables -t nat -D OUTPUT -p tcp -m ttl --ttl-gt $TTL_SIZE --dport 80 -j REDIRECT --to-port 8080
iptables -t nat -D OUTPUT -p tcp -m ttl --ttl-gt $TTL_SIZE --dport 443 -j REDIRECT --to-port 8080
