Transparently proxify virtual machines

This walkthrough illustrates how to set up transparent proxying with mitmproxy. We use VirtualBox VMs with an Ubuntu proxy machine in this example, but the general Internet <–> Proxy VM <–> (Virtual) Internal Network setup can be applied to other setups.

1. Configure Proxy VM

On the proxy machine, eth0 is connected to the internet. eth1 is connected to the internal network that will be proxified and configured to use a static ip (

VirtualBox configuration

../_images/step1_vbox_eth0.png ../_images/step1_vbox_eth1.png

VM Network Configuration


2. Configure DHCP and DNS

We use dnsmasq to provide DHCP and DNS in our internal network. Dnsmasq is a lightweight server designed to provide DNS (and optionally DHCP and TFTP) services to a small-scale network.

  • Before we get to that, we need to fix some Ubuntu quirks: Ubuntu >12.04 runs an internal dnsmasq instance (listening on loopback only) by default [1]. For our use case, this needs to be disabled by changing dns=dnsmasq to #dns=dnsmasq in /etc/NetworkManager/NetworkManager.conf and running

    >>> sudo restart network-manager


  • Now, dnsmasq can be be installed and configured:

    >>> sudo apt-get install dnsmasq

    Replace /etc/dnsmasq.conf with the following configuration:

    # Listen for DNS requests on the internal network
    # Act as a DHCP server, assign IP addresses to clients
    # Broadcast gateway and dns server information

    Apply changes:

    >>> sudo service dnsmasq restart

    Your proxied machine in the internal virtual network should now receive an IP address via DHCP:


3. Redirect traffic to mitmproxy

To redirect traffic to mitmproxy, we need to add two iptables rules:

iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j REDIRECT --to-port 8080
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 443 -j REDIRECT --to-port 8080

4. Run mitmproxy

Finally, we can run mitmproxy in transparent mode with

>>> mitmproxy -T

The proxied machine cannot to leak any data outside of HTTP or DNS requests. If required, you can now install the mitmproxy certificates on the proxied machine.