Mitmproxy TCP Interception

[Syndlex]

Description

I tried the Tcp Raw option of mitmproyx and its not working.
I don't know if this should be a feature request or a bug report.

Kubectl commands to create reproducable environment / deployment

I enabled rawtcp in the option menu of mitmweb.
and added ".*" to tcp_hosts
According to mitmproxy/mitmproxy#2595 this should work.
Do you have a idea to get rawtcp mode working?

The

Screenshots or other information

This are the deployments and the service I use:

apiVersion: apps/v1
kind: Deployment
metadata:
  name: ncl
  labels:
    app: netcatlistener
spec:
  replicas: 1
  revisionHistoryLimit: 1
  selector:
    matchLabels:
      app: netcatlistener
  template:
    metadata:
      labels:
        app: netcatlistener
    spec:
      containers:
        - args:
            - "-lk"
            - "8888"
          image: subfuzion/netcat
          imagePullPolicy: IfNotPresent
          name: ncl
          tty: true
          stdin: true
          ports:
            - containerPort: 8888
              name: listenerport
      nodeName: k8s-worker-1

---

apiVersion: v1
kind: Service
metadata:
  name: ncservice
spec:
  clusterIP: 10.103.53.167
  ports:
    - name: nctcp
      port: 8888
      protocol: TCP
      targetPort: 8888
    - name: ncudp
      port: 8888
      protocol: UDP
      targetPort: 8888
  selector:
    app: netcatlistener
  sessionAffinity: None
  type: ClusterIP

---

apiVersion: apps/v1
kind: Deployment
metadata:
  name: ncs
spec:
  replicas: 1
  revisionHistoryLimit: 1
  selector:
    matchLabels:
      app: netcatsend
  template:
    metadata:
      labels:
        app: netcatsend
    spec:
      containers:
        - args:
            - "-v"
            - "10.103.53.167"
            - "8888"
          image: subfuzion/netcat
          imagePullPolicy: IfNotPresent
          name: ncs
          tty: true
          stdin: true
      nodeName: k8s-worker-1

[Eriner]

I'm going to actually close this as a dupe, as this is essentially a different version of #2. Re: the raw option you tried, kubetap uses mitmweb and not mitmproxy, which may or may not be the issue here.

[Syndlex]

1.

mitmweb and mitmproxy is the same program with just a nother interface https://docs.mitmproxy.org/stable/tools-mitmweb/
The link was for reference what I configured in mitmweb

This should work since there are the same codebase.
The option for reference is: https://mitmproxy.readthedocs.io/en/v2.0.2/features/tcpproxy.html

2.

Traffic capturing is something different
I specifically need tcp traffic proxying.
Capturing can not intercept and change segments.

I am currently writing my master thesis about this topic.
A clear - we will not support the rawtcp option from mitmproxy/mitmweb would be enough.

[Eriner]

Ah, I actually did not know that mitmproxy offered this feature in the web UI. I am going to close #2 in favor of this.

The issue you reference in the OP has a comment that references modes: https://docs.mitmproxy.org/stable/concepts-modes/

Kubetap currently only uses the reverse mode, though this is configurable (but will currently return an error):

kubetap/cmd/kubectl-tap/mitmproxy.go

Line 181 in 836da3b

// createMitmproxyConfigMap creates a mitmproxy configmap based on the proxy mode, however currently

Perhaps try commenting out these errors and adding the configuration line for a compatible mode.

Happy to accept a PR if you find a solution!

[Syndlex]

So I fiddled around and read some more of the documentation and issues from mitmproxy

tcpraw is in a experimental state (https://docs.mitmproxy.org/stable/concepts-options/#available-options search for rawtcp option)
and can not intersect traffic at the moment. (That's what i am after)

I tested locally cause its faster and came to the same conclusion as the skotti in mitmproxy/mitmproxy#2595
That this is not working at the moment. I tested with the new 5.2 version of mitmproxy.

for Reference here are the commands i used.

# Terminal 1. Starting proxy listen on port 8887 proxying to localhost 8888 enable rawtcp and allow all tcp hosts
mitmweb -p 8887 --mode reverse:localhost:8888 --tcp-hosts '.*' --rawtcp 
# Terminal 2.  netcat listen on 8888 for segments
nc -lv 8888
# Terminal 3. connect to the proxy on port 8887 
nc -v localhost 8887

Connecting is working but Segments never arrive at the destination.
Additional note I use the openbsd version of Netcat here.

@Eriner reverse mode is basically the only option here. We do want to proxy all traffic to a server (pod)
Maybe Transparent mode is a option but this could be very complicated to be implemented. I think.

[Eriner]

@Syndlex Let me know if you're able to get this to work or find a good alternative!