12 C
New York
Wednesday, March 26, 2025

ipv4 – How can I stop a redirect loop with iptables when working a neighborhood ahead proxy?


I am utilizing the observe script to create iptables guidelines to ahead outgoing site visitors to a ahead proxy referred to as mitmproxy working on my machine. The principles are presupposed to redirect a packet if it isn’t marked, then mark the packet so it isn’t redirected a second time after the proxy forwards. Sadly the packet will get redirected once more after mitmproxy forwards it, making a community loop. The mitmproxy docs suggest making a separate person to run mitmproxy from however I am searching for a greater approach. I’ve additionally tried solely redirecting if the TTL hasn’t been decreased which additionally did not work (mitmproxy does not decrement the TTL?). Is there a solution to mark packets which have already been redirected to mitmproxy so I can stop a community loop?

#! /bin/bash
# https://stackoverflow.com/questions/10727443/how-to-use-iptables-in-linux-to-forward-http-and-https-traffic-to-a-transparent

echo "____BEFORE ANY CHANGES:"
sudo iptables -t mangle --line-numbers -n -A PREROUTING 
sudo iptables -t nat --line-numbers -n  -L OUTPUT

echo "____CHANGING"
# redirect if not set
iptables -t nat -A OUTPUT -p tcp -m mark ! --mark 1 --dport 80 -j REDIRECT --to-port 8080
iptables -t nat -A OUTPUT -p tcp -m mark ! --mark 1 --dport 443  -j REDIRECT --to-port 8080
# set mark
iptables -t mangle -A POSTROUTING -p tcp -j CONNMARK --set-mark 1
# https://docs.mitmproxy.org/secure/howto-transparent/

echo "____CHANGED"
# sudo iptables -t mangle --line-numbers -n -A PREROUTING 
sudo iptables -t nat --line-numbers -n  -L OUTPUT
sudo iptables -t mangle --line-numbers -n  -L POSTROUTING

echo "enter to proceed"
learn var1

echo "____BEFORE REVERTING"
sudo iptables -t nat --line-numbers -n  -L OUTPUT
sudo iptables -t mangle --line-numbers -n  -L POSTROUTING
# sudo ip6tables -t nat --line-numbers -n  -L OUTPUT

echo "____REVERTING"
iptables -t nat -D OUTPUT -p tcp -m mark ! --mark 1 --dport 80 -j REDIRECT --to-port 8080
iptables -t nat -D OUTPUT -p tcp -m mark ! --mark 1 --dport 443 -j REDIRECT --to-port 8080
iptables -t mangle -D POSTROUTING -p tcp -j CONNMARK --set-mark 1

echo "____AFTER REVERTING"
sudo iptables -t nat --line-numbers -n  -L OUTPUT
sudo iptables -t mangle --line-numbers -n  -L POSTROUTING

Related Articles

LEAVE A REPLY

Please enter your comment!
Please enter your name here

Latest Articles