Home / server / Questions / 791181
Accepted
Sjoerd
Asked: 2016-07-22 06:21:12 +0800 CST

Redirecting traffic to a specific address and port using PF on MacOS

  • 772

I want to pentest a mobile application. To do so, I want to intercept all WiFi traffic and forward it to Burp, which runs in a VM.

I enabled "Internet Sharing" on my Macbook so my phone now connects to the laptop using WiFi. Then I want to forward all traffic to the Burp proxy, which is at 172.16.122.128:8080.

Redirecting to localhost works:

rdr pass on bridge100 inet proto tcp from any to any port {80,443} -> 127.0.0.1 port 8080

I put this rule in a file and load it with pfctl -f pf.rules. After that, I listed on port 8080 using nc -l -p 8080 and when I browse somewhere on my phone it indeed connects to localhost instead.

However, when I try to forward to 172.16.122.128, it doesn't work:

rdr pass on bridge100 inet proto tcp from any to any port {80,443} -> 172.16.122.128 port 8080

The packets do end up in the VM (tested with Wireshark) but no connection is made. This could be because they originate from 192.168.2.3. Do I need NAT somewhere? How can I configure this correctly?

I drew a picture of my network layout. (The VM actually runs on my laptop, but I drew it separate here.) my network layout

nat pf

3 Answers

  1. I guess, the problem is that you have not configured forwarding between 2 networks, (1) VM network (172.16.122.0/24) and (2) your LAN (192.168.2.0/24). To configure forwarding on your Mac, you probably need to do the following (sorry, I do not have a Mac, so I cannot try):

    1) As written at https://apple.stackexchange.com/a/192183:

    sudo sysctl -w net.inet.ip.forwarding=1
sudo sysctl -w net.inet.ip.fw.enable=1

    2) add static routes to both networks, if needed (I guess, you have it already, since you can connect with nc from your Mac to the VM)

    Finally, another option (without configuring your Mac as a router) is to setup NAT using your virtualisation software and forward a port to your VM. If you use a VMware Fusion, please have a look here or here.

    Then, instead of forwarding traffic to the port on your VM, forward it to the forwarded port on the vmnet8 interface:

    rdr pass on bridge100 inet proto tcp from any to any port {80,443} -> 172.16.122.1 port 8080

    (port 8080 on the vmnet8 should be forwarded to port 8080 on your VM by VMware Fusion)

    • 1
  2. Best Answer

    The following PF rules work:

    nat on vmnet8 from bridge100:network to any -> (vmnet8)
rdr pass on bridge100 inet proto tcp from any to any -> 172.16.122.128 port 8080

    This forwards all requests to 172.16.122.128, while doing NAT in between.

    NAT is needed to translate between the addresses of the two networks, i.e. 192.168.2.0/24 and 172.16.122.0/24. The fowarding part already worked (as described in my question), but the packets were forwarded with the wrong source address. NAT changes that source address to 172.16.122.1, so that the VM knows to send packets back to my MacBook, which then forwards them to the phone again.

    • 1

  3. If the VM is a linux one, you do need to Nat incoming traffic and mangle it. That is:

    1. An incoming packet from 192.168.2.3 is accepted
    2. Change the destination address of the packet to 172.16.122.128 (mangle)
    3. Submit the packet to the linux routing layer

    Firewall commands

    # Enable forward
sudo sysctl -w net.ipv4.ip_forward=1

# FLUSH ALL RULES
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X

# Forward
sudo iptables -A FORWARD -i eth0 -j ACCEPT


# Mangling rule. I think you can add the port right after the dest ip
sudo iptables -t nat -A POSTROUTING -s 192.168.2.3/32  -j SNAT --to  172.16.122.128
    • -1