Last active
October 20, 2021 12:34
-
-
Save diyism/eaa7297cbf2caff7b851 to your computer and use it in GitHub Desktop.
用iptables实现socket层次的host remapping(类似fiddler在http层次的host remapping)
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
把手机http代理指向pc上fiddler,有host remapping功能, | |
不改应用就可以同时测试开发服务器和生产服务器,也不必折腾安卓和ios上的dns缓存; | |
但fiddler跟不到socket通讯(很多手机应用的http请求都用的socket库),unbound的server/local-data也避免不了手机dns缓存, | |
(其实还可以用sudo iptables -t nat -I PREROUTING -p tcp -s 192.168.0.0/24 -j REDIRECT --to 8888 把手机tcp流量转发到fiddler, 不要加MASQUERADE规则) | |
(如果是virtualbox虚拟genymotion镜像: | |
sudo iptables -t nat -I PREROUTING -p tcp -s 192.168.56.101 -j REDIRECT --to 8888 | |
sudo iptables -t nat -I PREROUTING -p tcp -s 10.0.2.15 -j REDIRECT --to 8888 | |
如果有真正https代理(比如sniproxy而非http connect)可以: | |
sudo iptables -t nat -I PREROUTING -p tcp -s 192.168.56.101 --dport=443 -j DNAT --to <sniproxy ip>:443 | |
手机与pc不在一个网段时监听手机通讯可以用iptables实现, | |
手机上sshTunnel应用(勾上全局socks代理)连接到ubuntu的sshd或者手机上vps连接到ubuntu上的pptpd, 然后用iptables转发: | |
sudo iptables -t nat -I OUTPUT -p tcp -d 123.123.0.0/16 --dport 443 -m owner ! --uid-owner 0 -j REDIRECT --to 8888 | |
(1.需要先知道目标网站的网段(用tshark ...|grep -A2 "<手机ip> SSH"来找); 2.需要用root(uid==0)启动监听在8888上的代理里避免output死循环) | |
需要先把虚拟机安卓内netcfg的eth1(也就是virtualbox的network里第二个adapter)设成host-only(对应pc上vboxnet0), 并设固定ip, | |
但直接设不行, 有个wifiwatchdog进程发现vboxnet0没有dhcp服务会反复重启安卓桌面, 需要先用nat/bridged/internal(感觉都是bridged效果)这些 | |
从内网路由器取到ip后不触发wifiwatchdog了再设成static ip, 再从bridged切换成host-only, | |
另外既然是host-only, 虚拟安卓的dns只能请求宿主, http对外请求也只能通过iptables转fiddler才能出去, | |
还有tshark监控流量要监控vboxnet0接口才行:sudo tshark -i vboxnet0 -R "tcp and (http.request or http.response)" | |
) | |
(当心REDIRECT 8888不光把手机tcp流量转到fiddler了,桥接的虚拟机的流量也转过去了,比如php里对外访问收到的数据似乎被fiddler破坏了, "-s"可以只指定手机ip) | |
(既然手机的流量都转到了fiddler, 访问自己多台服务器都可以用fiddler跳转来分别测试, 手机上的爬虫爬第三方可以用fiddler的host remapping来指向http proxy) | |
改用tshark并用iptables实现socket层次的ip重映射,需先把手机上网关指向pc, | |
还要设手机上/etc/sysctl.conf内 | |
net.ipv4.conf.default.accept_redirects=0 #不要用conf.all, 有用的是conf.default, ifdown/ifup后用"sysctl -a|grep accept"看 | |
net.ipv4.conf.default.secure_redirects=1 #仅接受自己设置的网关发送的icmp redirect指令 | |
防止真正的网关告诉手机跳过pc这个路由, | |
要避免这个问题对未root的手机直接从pc上进行arp欺骗更靠谱(arping不肯从假ip发广播,要用arpspoof): | |
sudo apt-get install dsniff | |
sudo arpspoof -i eth0 -t 192.168.0.242 192.168.0.1 #".1是网关", ".230"是手机, 不断欺骗230我是1 | |
sudo arpspoof -i eth0 -t 192.168.0.1 192.168.0.242 #另开一个窗口,不断欺骗1我是230 | |
但如果路由器有Gratuitous ARP广播它自己的mac那就没什么用了 | |
pc上也要设: | |
net.ipv4.conf.default.send_redirects = 0 #不要用conf.all, 有用的是conf.default | |
以免向手机发送icmp redirect指令,pc还可以向手机发送icmp redirect指令来保持自己作为网关: | |
sudo icmpush -red -v -sp 192.168.0.1 -gw 192.168.0.241 -dest 0.0.0.0 -c host -prot tcp 192.168.0.242 | |
用"ip route flush cache"清掉设置前的route cache, 可用"ip route show cache 119.119.119.119"看指定目的地址的route cache, | |
当心linux 3.0有bug(android 4.0, 4.1用的它), flush cache后要静等10分钟再操作才真正flush(或者重启手机), | |
linux pc比如ubuntu先要编辑/etc/sysctl.conf修改为net.ipv4.ip_forward=1并sudo sysctl -p使其生效 | |
开启: | |
sudo iptables -t nat -I PREROUTING -p tcp -d 119.119.119.119 --dport 80 -j DNAT --to 192.168.0.241:80 | |
sudo iptables -t nat -I POSTROUTING -p tcp -s 192.168.0.0/24 -j MASQUERADE | |
sudo iptables -t nat -I OUTPUT -p tcp -d 119.119.119.119 --dport 80 -j DNAT --to 192.168.0.241:80 | |
关闭: | |
sudo iptables -t nat -D PREROUTING 1 #"1"可能是从1起的数字, 根据位置 | |
sudo iptables -t nat -D OUTPUT 1 | |
tshark命令: | |
sudo tshark -R "(http.request or http.response) and (ip.src==192.168.0.242 or ip.dst==192.168.0.242)" | |
或更通用点: | |
sudo tshark -R "tcp and (http.request or http.response) and !(ip.addr==192.168.0.241)" | |
加"tcp and "是为了过滤掉SSDP(一种http over udp), 可以用grep -Pv "SSDP|ICMP|DHCP|MDNS|LLMNR"过滤, | |
不用"ip.addr!=192.168.0.241"因为其等价于"ip.src!=192.168.0.241 or ip.dst!=192.168.0.241"没效果 | |
注意如果用的bridge interface比如br0而不是用eth0获取ip, 要先sudo tshark -D看下br0是否排第一位, 否则要指定下: | |
sudo tshark -i br0 -R "tcp and (http.request or http.response) and !(ip.addr==192.168.0.241)" | |
sudo tshark -i vboxnet0 -R "tcp and (http.request or http.response)" | |
过滤url: | |
sudo tshark -R "tcp and (http.request or http.response) and !(ip.addr==192.168.0.241) and http.request.uri matches \"^/index?action=kkk\"" | |
更详细一点看具体header: | |
sudo tshark -R "tcp and (http.request or http.response) and !(ip.addr==192.168.0.241)" -O http | |
出口是br0时: | |
sudo tshark -i br0 -R "tcp and (http.request or http.response) and !(ip.addr==192.168.0.241)" -O http | |
或者wireshark里填: tcp and (http.request or http.response) and !(ip.addr==192.168.0.241) and (!expert.message=="Retransmission (suspected)") | |
然后在流量列表里右键点"Follow TCP Stream" | |
tshark要看request body和response body的话命令比较复杂,但也比较方便(跟踪10秒钟内手机的http流量): | |
sudo tshark -a duration:10 -w /tmp/input.pcap;for stream in `sudo tshark -r /tmp/input.pcap -R "tcp and (http.request or http.response) and !(ip.addr==192.168.0.241)" -T fields -e tcp.stream | sort -n | uniq`; do sudo tshark -q -r /tmp/input.pcap -z follow,tcp,ascii,$stream|head -c 1500; done;sudo rm /tmp/input.pcap | |
如果网络出口是br0: | |
sudo tshark -i br0 -a duration:10 -w /tmp/input.pcap;for stream in `sudo tshark -r /tmp/input.pcap -R "tcp and (http.request or http.response) and !(ip.addr==192.168.0.241)" -T fields -e tcp.stream | sort -n | uniq`; do sudo tshark -q -r /tmp/input.pcap -z follow,tcp,ascii,$stream|head -c 1500; done;sudo rm /tmp/input.pcap | |
如果不需要host remapping只是单纯跟踪手机流量, 手机网关指向你的linux pc后, 还是要设两条iptables POSTROUTING规则的(不需要PREROUTING): | |
sudo iptables -t nat -I POSTROUTING -p tcp -s 192.168.0.0/24 -j MASQUERADE | |
sudo iptables -t nat -I POSTROUTING -p udp -s 192.168.0.0/24 -j MASQUERADE | |
否则从外面回来的http response流量直接从wan路由器发到手机了, 而不会经过你给手机指定的这个linux pc路由服务, 导致跟踪不到返回数据包 | |
例子中192.168.0.241是pc和开发服务器的IP, 192.168.0.242是手机的IP, 119.119.119.119是生产服务器的IP | |
附记, 通过iptables和netsed(ubuntu可直接apt-get安装)实时篡改比如一个rest api返回的一条数据里updatetime(不过对Content-Encoding:gzip的response无效): | |
sudo iptables -t nat -I PREROUTING -p tcp -d 119.119.119.119 --dport 80 -j REDIRECT --to 8080 | |
netsed tcp 8080 119.119.119.119 80 "s/gzip, deflate, sdch/" s/string_a/string_b #"gzip, deflate, sdch"要先到浏览器或客户端里看实际的值, header不压缩先篡改request header后response body也不压缩了 | |
手机把pc当网关, 在pc上监控手机的流量: | |
tshark -T fields -e frame.number -e ip.src -e tcp.srcport -e ip.dst -e tcp.dstport -e data -R "ip.src==10.10.2.33" |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment