V2EX = way to explore
V2EX 是一个关于分享和探索的地方
现在注册
已注册用户请  登录
a719114136
V2EX  ›  macOS

Max OS 下用 pfctl 做 ip 转发不生效,有人知道为啥吗?

  •  
  •   a719114136 · 2020-02-11 16:43:34 +08:00 · 2685 次点击
    这是一个创建于 1765 天前的主题,其中的信息可能已经有所发展或是发生改变。

    想把发送到 192.168.1.8:80 的请求转发到 192.168.1.10:8000

    /etc/pf.conf中添加了如下规则:

    scrub-anchor "com.apple/*"
    nat-anchor "com.apple/*"
    rdr-anchor "com.apple/*"
    rdr pass on lo0 inet proto tcp from any to 192.168.1.8 port 80 -> 192.168.1.10 port 8000
    rdr pass on en0 inet proto tcp from any to 192.168.1.8 port 80 -> 192.168.1.10 port 8000
    rdr-anchor "debookee"
    dummynet-anchor "com.apple/*"
    anchor "com.apple/*"
    anchor "debookee"
    load anchor "com.apple" from "/etc/pf.anchors/com.apple"
    

    然后启动

    sudo sysctl -w net.inet.ip.forwarding=1
    sudo pfctl -ef /etc/pf.conf  
    

    但并没有转发,是我用错了吗

    5 条回复    2022-10-17 22:08:31 +08:00
    henryshen233
        1
    henryshen233  
       2020-02-11 17:21:47 +08:00
    网卡 en0 的地址是 192.168.1.8 吗。还有如果是的话,那个 lo0 怎么也会是 192.168.1.8 呢?
    shadowsockss
        2
    shadowsockss  
       2020-02-27 11:49:08 +08:00
    rdr on lo0 inet proto tcp from any to 192.168.1.8 port 80 -> 192.168.1.10 port 8000
    pass out on en0 route-to lo0 inet proto tcp from any to 192.168.1.8 port 80
    shadowsockss
        3
    shadowsockss  
       2020-02-27 12:01:05 +08:00
    上面的规则不对...
    shadowsockss
        4
    shadowsockss  
       2020-02-27 12:06:29 +08:00
    rdr on lo0 inet proto tcp from any to 172.217.3.110 port {80, 443} -> 127.0.0.1 port 7892
    pass out on en0 route-to lo0 inet proto tcp from any to 172.217.3.110 port {80, 443}

    这条规则可以实现
    本机访问 172.217.3.110 端 80 443 时转到本机 7892 端口
    自己思考一下怎么对应
    yuange1975
        5
    yuange1975  
       2022-10-17 22:08:31 +08:00
    # Work-around to redirect traffic originating from the machine itself

    Follow steps 1, 2 as above, but in step 2 change the contents of the file pf.conf to

    #The ports to redirect to proxy
    redir_ports = "{http, https}"

    #The address the transparent proxy is listening on
    tproxy = "127.0.0.1 port 8080"

    #The user the transparent proxy is running as
    tproxy_user = "nobody"

    #The users whose connection must be redirected.
    #
    #This cannot involve the user which runs the
    #transparent proxy as that would cause an infinite loop.
    #

    rdr pass proto tcp from any to any port $redir_ports -> $tproxy
    pass out route-to (lo0 127.0.0.1) proto tcp from any to any port $redir_ports user { != $tproxy_user }

    Follow steps 3-5 above. This will redirect the packets from all users other than nobody on the machine to mitmproxy. To avoid circularity, run mitmproxy as the user nobody. Hence step 6 should look like:

    sudo -u nobody mitmproxy --mode transparent --showhost
    关于   ·   帮助文档   ·   博客   ·   API   ·   FAQ   ·   实用小工具   ·   3303 人在线   最高记录 6679   ·     Select Language
    创意工作者们的社区
    World is powered by solitude
    VERSION: 3.9.8.5 · 30ms · UTC 10:32 · PVG 18:32 · LAX 02:32 · JFK 05:32
    Developed with CodeLauncher
    ♥ Do have faith in what you're doing.