首先设置mac机器上的防火墙程序PF的直连名单:
这份名单是相当于是不走翻墙服务器的白名单地址,包括2个部分:
内网ip: 127网段、192.168网段、10网段、172.16网段等,
翻墙服务器的地址: vps服务器的公网ip地址.
mkdir -p /usr/local/etc/redsocks/
$ echo ''' 192.31.196.0/24 192.52.193.0/24 127.0.0.0/8 192.175.48.0/24 192.0.0.0/24 198.18.0.0/15 203.0.113.0/24 100.64.0.0/10 240.0.0.0/4 0.0.0.0/8 192.88.99.0/24 172.16.0.0/12 192.168.0.0/16 198.51.100.0/24 255.255.255.255 192.0.2.0/24 169.254.0.0/16 224.0.0.0/4 10.0.0.0/8 ''' >> /usr/local/etc/redsocks/direct_cidr_full.txt
(将本地、局域网内的地址加入到直连名单)
$ echo ''' vps-public-ip ''' >> /usr/local/etc/redsocks/direct_cidr_full.txt
(记得要把vps服务器的公网ip地址加入到直连名单)
设置PF的流量转发规则:
$ nano /etc/pf.conf
内容如下:
scrub-anchor "com.apple/*"
table <direct_cidr> persist file "/usr/local/etc/redsocks/direct_cidr_full.txt"
nat-anchor "com.apple/*"
rdr-anchor "com.apple/*" #将lo0上所有目的地不在直连地址列表的流量(需要翻墙流量)转发到redsocks的监听地址127.0.0.1:12345
rdr pass on lo0 proto tcp from any to !<direct_cidr> -> 127.0.0.1 port 12345 #将eth0所有目的地不在直连地址列表的流量(需要翻墙的流量)路由到lo0上。
pass out route-to (lo0 127.0.0.1) proto tcp from any to !<direct_cidr>
dummynet-anchor "com.apple/*"
anchor "com.apple/*"
load anchor "com.apple" from "/etc/pf.anchors/com.apple"
$ sudo sysctl -w net.inet.ip.forwarding=1 #开启PF转发
$ sudo pfctl -e #开启pf服务
$ sudo pfctl -f /etc/pf.conf #加载pf防火墙的规则
停止PF转发/过滤,要么关闭pf,要么清空pf的规则:
sudo pfctl -d #关闭pf服务
sudo pfctl -F all #清空pf的所有配置
然后编译redsocks:
git clone https://github.com/sonywork/redsocks redsocks-by-sonywork
(注:必须是克隆https://github.com/sonywork/redsocks这个仓库地址,不要去克隆
https://github.com/darkk/redsocks或者https://github.com/semigodking/redsocks或其他fork版,因为sonywork对他自己的仓库做了重要修改。如果sonywork以后删除了他自己的redsocks仓库,你可以克隆我对sonywork的redsocks仓库所做的fork: https://github.com/briteming/redsocks)
cd redsocks-by-sonywork
make
(make完成后,在当前目录下,会生成可执行文件redsocks)
cp redsocks.conf.example redsocks.conf
nano redsocks.conf
cat redsocks.conf
base {
log_debug = off;
log_info = on;
log = stderr;
daemon = off;
redirector = pf;
}
redsocks {
local_ip = 127.0.0.1;
local_port = 12345;
ip = 127.0.0.1;
port = 2553;
type = socks5;
}
redudp {
local_ip = 127.0.0.1;
local_port = 10053;
ip = 127.0.0.1;
port = 2553;
dest_ip = 8.8.8.8;
dest_port = 53;
udp_timeout = 30;
udp_timeout_stream = 180;
}
dnstc {
local_ip = 127.0.0.1;
local_port = 5300;
}
dnsu2t {
local_ip = 127.0.0.1;
local_port = 5313;
remote_ip = 8.8.8.8;
remote_port = 53;
}
然后运行:
sudo ./redsocks -c redsocks.conf
不要关闭此终端。
然后,新开终端,运行:
sudo networksetup -setdnsservers "Wi-Fi" 127.0.0.1
运行:
cd ~/socks5-proxy-by-yuanrenguang715/client/;client-based-on-socks5-proxy-by-yuanrenguang715
('socks5-proxy-by-yuanrenguang715'的用法详见https://briteming.blogspot.com/2020/05/socks5-proxy-by-yuanrenguang715.html)
sudo ~/goproxy-by-snail007/proxy dns -S socks -T tcp -P 127.0.0.1:2553 -p :53
(‘goproxy-by-snail007’的用法详见https://briteming.blogspot.com/2019/08/socks-proxydnsdns-proxy-by-snail007.html)
然后,你的整台mac机器就实现了全局翻墙。
要经常注意一下‘./redsocks -c redsocks.conf’是否退出运行了。如果退出运行了,需要重新运行‘./redsocks -c redsocks.conf’。
若要终止这个全局代理,则停止PF转发/过滤即可,方法:要么关闭pf,要么清空pf的规则:
sudo pfctl -d #关闭pf服务 sudo pfctl -F all #清空pf的所有配置------------------------------------
使用ipfw在OS X Mountain Lion上设置Redsocks
(假设您的Redsock设置为侦听端口12345,并且您要将所有TCP连接重定向到22以外的端口)。我在2011年中期的Mac Mini上的Mountain Lion上使用了Redsocks,效果很好
sudo ipfw add fwd 127.0.0.1,12345 tcp from me to not me not dst-port 22
AFAIK如果不将scopedroute标志设置为0,则将无法正常工作。在此处了解更多详细信息(您实际上不需要做SSL证书之类的东西,只需设置scopedroute标志):http://lucumr.pocoo.org/2013/1/6/osx-wifi-proxy
----------------------
You can set up redsocks on OS X Mountain Lion using ipfw using commands similar to the one below (assuming your redsocks is set to listen on port 12345 and that you want to redirect all TCP connections to ports other than 22). I use redsocks on Mountain Lion on a mid 2011 Mac Mini and it works great
sudo ipfw add fwd 127.0.0.1,12345 tcp from me to not me not dst-port 22
AFAIK this won't actually work without setting the scopedroute flag to 0. Read more details here (you don't actually need to do the SSL certificate stuff, just set the scopedroute flag): http://lucumr.pocoo.org/2013/1/6/osx-wifi-proxy/
-----------------
----------
Redsocks是在本地系统上运行的守护程序,它将通过远程SOCKS4,SOCKS5或HTTP代理服务器透明地建立任何TCP连接的隧道。 它使用系统防火墙的重定向工具来拦截TCP连接,因此重定向是在系统范围内进行的,具有细粒度的控制,并且不依赖于LD_PRELOAD库。
Redsocks支持通过隧道建立TCP连接和UDP数据包。 它具有对SOCKS和HTTP代理的身份验证支持。
还包括一个小型DNS服务器,该服务器返回对所有UDP查询都设置了“截断”标志的答案,从而迫使解析器使用TCP。
-----------------
OSX as a Transparent Wifi MITM Proxy
written on Sunday, January 6, 2013
Yesterday I was in the situation where I wanted to debug an iOS device and what network calls it would make. Normally the trivial step is to just define an HTTP proxy server in the wifi settings but that will only work for as long as you have something that actually honors this proxy server. But there are better ways to transparently proxy connections from a device connected via Wifi which does not require any changes on the actual device.
The Tools
In order for this to work you need a device running OS X which is connected to the same network as the Wifi. Then you need to convince the Wifi device to see you as the gateway instead of the actual gateway. The easiest way is just to go to the settings and change the gateway to your computer's IP. The second ingredient is an HTTP proxy, ideally one that can also decrypt and reencrypt SSL traffic. Personally I can recommend Charles for that. Lastly you will need another proxy that can work transparently which sits between your device and Charles. On OS X redsocks gets this job done.
If you don't want to spend the money on Charles or you want to rewrite traffic with Python you can use mitmproxy.
The Setup
The first thing you will notice is that when you point your Wifi device to your computer it will loose network connectivity. That's because by default your computer won't forward packets. This can easily be changed through sysctl:
$ sudo sysctl -w net.inet.ip.forwarding=1
After that you should be able to browse the internet again on your Wifi device.
The second step is installing redsocks. If you have brew that's a very trivial operation:
$ brew install redsocks
Once installed you will need to create a config file for it. Call it redsocks.conf and place it in a folder from which you run redsocks:
base {
log_debug = on;
log_info = on;
log = stderr;
daemon = off;
redirector = generic;
}
redsocks {
local_ip = 0.0.0.0;
local_port = 12345;
ip = 127.0.0.1;
port = 8889;
// known types: socks4, socks5, http-connect, http-relay
type = socks5;
}
Since I'm using Charles I take advantage of it's socks5 support and point it to localhost:8889 where Charles normally starts up if configured as Socks5 proxy. If you're using a regular HTTP proxy you can use http-connect as proxy type. The local_port defines where the actual transparent redsocks proxy opens.
All you have to do then is to start it:
$ redsocks
After that you will need to point all the traffic that is not from your computer and from port 80 and 443 of your Wifi through redsocks. On OS X the firewall canbe controlled through ipfw. In my case the wifi device is en1:
$ sudo ipfw add fwd 127.0.0.1,12345 tcp from not me to any 80 in via en1 $ sudo ipfw add fwd 127.0.0.1,12345 tcp from not me to any 443 in via en1
Working around OS X Bugs
Now currently if you finish that above setup you will notice that nothing actually works. The cause for this is a Bug in the OS X kernel that requires flipping the net.inet.ip.scopedroute flag to 0. I am not entirely sure what it does, but the internet reports that it breaks network sharing through the user preferences. In any case it fixes ipfw based forwarding so you can flip it with sysctl:
$ sudo sysctl -w net.inet.ip.scopedroute=0
Unfortunately in OS X Lion this flag can actually not be flipped from userspace so you need to set it as boot parameter and then restart your computer. You can do this by editing the /Library/Preferences/SystemConfiguration/com.apple.Boot.plist file:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN"
"http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>Kernel Flags</key>
<string>net.inet.ip.scopedroute=0</string>
</dict>
</plist>
Installing SSL Certificates
After all that your HTTP traffic should show up in your SSL interception proxy. SSL will only work if the application on your Wifi device is trusting your SSL interception proxy's CA. For browsers for instance that's trivial to change. The Charles Certificate can be added to the trust store by following this link: charles.crt. Note that this will not work with applications that don't use the system's CA trust store. In that case you will need to recompile your application so that it trusts the Charles CA.
from http://lucumr.pocoo.org/2013/1/6/osx-wifi-proxy
-----
相关帖子:
https://briteming.blogspot.com/2019/06/mac-osredsocks2ss.html
https://briteming.blogspot.com/2019/08/mac.html
No comments:
Post a Comment