0

I have two machines: machine A and machine B. Machine A routes all the traffic through the machine B. On machine A I set these iptables rules:

iptables -t nat -A PREROUTING -i wlan0 -j DNAT --to-destination 172.16.250.128
iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE

Where tun0 is the interface which contains the IP address 172.16.250.128 in its ip range. Now all the packets received on machine A is routed to the machine B, without changing ports.

On machine B I setup a transparent proxy (mitmproxy, burpsuite, etc) on port 8080 and this iptables rule:

iptables -t nat -A PREROUTING -i ens33 -p tcp -j REDIRECT --to-ports 8080

Where ens33 (ip 172.16.250.128) is the interface connected to the interface tun0 on machine A. The rule above redirects all tcp packets from that interface to port 8080 - the port on which the transparent proxy listens to. All works great, all TCP packets is routed through the transparent proxy.

But I'm not sure about how the transparent proxy knows the original destination of the packet (both address and port)? I found this question: [link][1] It says that iptables saves the original destination before the destination is modified. Now I understand how the transparent proxy knows the original port. But what about the destination address? Since the destination address is modified on the machine A, I think machine B and its internals should not know about the original destination address since the machine B didn't modified it, right? But somehow it's still able to somehow get the original destination address of the packet sent to wlan0 interface that is routed to the transparent proxy. I know it because obviously the transparent proxy routes packets to the original destination correctly (the destination on the Internet).

How the machine B knows the original destination of the DNATed (modified destination) packet? Does the original destination sent over the network as well? I didn't see it in wireshark. [1]: How does a transparent SOCKS proxy know which destination IP to use?

g00dds
  • 23
  • 1
  • 3

1 Answers1

1

You're curious to know "how the transparent proxy [on server B] knows the original destination of the packet". It can't, because you rewrote both source (MASQUERADE) and destination (DNAT) on server A. As far as Server B is concerned the traffic originated on Server A and is addressed for Server B.

When the traffic replies are sent back to Server A, it alone knows how to undo the DNAT/MASQUERADE in order to send them on to the original true source.

roaima
  • 107,089
  • 14
  • 139
  • 261
  • I meant how the transparent proxy knows where to transfer the received packet? If I understand it correctly it should get `172.16.250.128` instead of original destination of the packet (on the Internet, for example `1.1.1.1`), since the address was modified by the previous router (machine A). It can do it somehow, I think, otherwise transparent proxies like mitmproxy, tor proxy, burpsuite, redsocks won't know which ip address to connect. – g00dds Sep 10 '22 at 17:54
  • I wouldn't set up mitmproxy like this at all. Use routing to get traffic to the proxy machine, and `iptables` on the proxy to grab traffic as it goes through. As soon as you use DNAT/SNAT/MASQUERADE you start hiding information – roaima Sep 11 '22 at 07:23