Redirect OSX internet sharing traffic

May 7, 2017

To be able to eavesdrop to internet sharing traffic, you may use pf or packet filtering tool, which is a kind of firewall used by the mac’s operating system. But hold on, why would you need to listen to internet traffic on a wi-fi device? I usually develop for wi-fi enabled devices and knowing what HTTP requests they issue become important when debugging your application. Instead of connecting these devices directly to the main network, I share my wired connection through wi-fi with the help of OSX’s internet sharing feature and connect the third party device to this network instead. So far so good. But now we have to intercept requests arriving at our computer somehow. This is where pf enters the picture. First we create a file to put the pf rules as it is easier to work with files when using pf. In proxy.pf.conf;

rdr on bridge100 proto tcp from any to any port 80 -> 127.0.0.1 port 8888
rdr on bridge100 proto tcp from any to any port 443 -> 127.0.0.1 port 8888

This rules state that any request going to port 80 and 443 on bridge100 interface (which is assigned to internet sharing) will be redirected (rdr) to the main machine port 8888. Then we set an anchor named com.apple.internet-sharing (ruleset) with the configuration we have just generated and enable it with -e;

sudo pfctl -a com.apple.internet-sharing -f ./proxy.pf.conf
sudo pfctl -a com.apple.internet-sharing -e

Done! Now you should be able to listen to the requests if you have a proxy set up on port 8888 on your machine. If you want to intercept HTTPS traffic (port 443) you would furhter need trusted certificates installed on the device to be listened. Then it will trust your proxy’s secure connection and your proxy will further start a secure connection to the target host. To make things automatically set up on startup you may further register this command as a daemon. To do this, save this XML inside /Library/LaunchDaemons/com.example.proxy.plist (as a system-wide daemon) with correct path to our previous pf.conf file and a label you want (here com.example.proxy).

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>Label</key>
    <string>com.example.proxy</string>
    <key>ProgramArguments</key>
    <array>
        <string>pfctl</string>
        <string>-a</string>
        <string>com.apple.internet-sharing</string>
        <string>-f</string>
        <string>/path/to/proxy.pf.conf</string>
    </array>
    <key>RunAtLoad</key>
    <true/>
</dict>
</plist>

Next time you reboot your machine, internet sharing traffic will be redirected to the proxy at port 8888.