Using PacketFilter to transparently proxy packets

2019-03-14 19:49发布

问题:

There is a cool utility out there called sshuttle. It has depended on ipfw to forward packets in the past. It appears that ipfw is mostly broken in Mavericks and the advice is to use PacketFilter for this now.

I've spent most of the day looking at PacketFilter and it appears ipfw has a feature that PacketFilter does not support (hope I'm wrong about this).

The following rule:

ipfw -q add 12300 fwd 127.0.0.1,12300 tcp from any to any not ipttl 42 keep-state setup

will forward all traffic to 127.0.0.1 (localhost) port 12300. It does not, however, change the destination IP or port in the TCP packet. This is important to sshuttle as it uses the information about the original destination to forward the packet on to another network.

The closest rule I can find in the PacketFilter world is:

rdr pass proto tcp from any to any -> 127.0.0.1 port 12300

This rule does send the traffic to 127.0.0.1 (localhost) port 12300 but it also rewrites the destination address to be 127.0.0.1.

Any ideas on how to get the behavior sshuttle needs in OS X?