ninlith/mitm.sh

## mitm.sh
#!/usr/bin/env bash
# -*- indent-tabs-mode: nil; tab-width: 4 -*-

command=${@:-"mitmproxy --mode transparent --showhost --set block_global=false"}

if [ ! -f "/etc/ssl/certs/mitmproxyuser.pem" ]; then
    sudo apt --yes install inotify-tools mitmproxy nftables
    sudo useradd --create-home mitmproxyuser
    grep --max-count 1 "mitmproxy-ca-cert.pem" < <( \
        sudo inotifywait -mrq -e close_write --format "%f" \
        /home/mitmproxyuser) & grep_pid=$!  # --include in inotifywait 3.20.1
    sudo -u mitmproxyuser mitmdump --no-server & mitmdump_pid=$!
    wait $grep_pid && sudo kill -INT $mitmdump_pid
    sudo mkdir /usr/share/ca-certificates/extra/
    sudo openssl x509 -in /home/mitmproxyuser/.mitmproxy/mitmproxy-ca-cert.pem \
        -inform PEM -out /usr/share/ca-certificates/extra/mitmproxyuser.crt
    sudo sh -c 'echo "extra/mitmproxyuser.crt" >> /etc/ca-certificates.conf'
    sudo update-ca-certificates
    sudo systemctl enable --now nftables.service
fi

prior_sysctl_values=$(/sbin/sysctl \
    net.ipv4.ip_forward \
    net.ipv6.conf.all.forwarding \
    net.ipv4.conf.all.send_redirects)
cleanup () {
    sudo nft delete table ip mitm_ipv4
    sudo nft delete table ip6 mitm_ipv6
    echo "$prior_sysctl_values" | sudo sysctl -qw --load -
    exit
}
trap cleanup EXIT

sudo sysctl -qw net.ipv4.ip_forward=1
sudo sysctl -qw net.ipv6.conf.all.forwarding=1
sudo sysctl -qw net.ipv4.conf.all.send_redirects=0

# "No matter what the documentation says, it appears that NAT statements can't
# be in an "inet" table." https://bugzilla.netfilter.org/show_bug.cgi?id=1173
sudo nft add table ip mitm_ipv4
sudo nft add chain ip mitm_ipv4 c { type nat hook output priority 0 \; }
sudo nft add rule ip mitm_ipv4 c skuid != mitmproxyuser tcp dport \
    {http, https} counter redirect to :8080
sudo nft add table ip6 mitm_ipv6
sudo nft add chain ip6 mitm_ipv6 c { type nat hook output priority 0 \; }
sudo nft add rule ip6 mitm_ipv6 c skuid != mitmproxyuser tcp dport \
    {http, https} counter redirect to :8080

sudo -u mitmproxyuser $command
	#!/usr/bin/env bash
	# -- indent-tabs-mode: nil; tab-width: 4 --

	command=${@:-"mitmproxy --mode transparent --showhost --set block_global=false"}

	if [ ! -f "/etc/ssl/certs/mitmproxyuser.pem" ]; then
	sudo apt --yes install inotify-tools mitmproxy nftables
	sudo useradd --create-home mitmproxyuser
	grep --max-count 1 "mitmproxy-ca-cert.pem" < <( \
	sudo inotifywait -mrq -e close_write --format "%f" \
	/home/mitmproxyuser) & grep_pid=$! # --include in inotifywait 3.20.1
	sudo -u mitmproxyuser mitmdump --no-server & mitmdump_pid=$!
	wait $grep_pid && sudo kill -INT $mitmdump_pid
	sudo mkdir /usr/share/ca-certificates/extra/
	sudo openssl x509 -in /home/mitmproxyuser/.mitmproxy/mitmproxy-ca-cert.pem \
	-inform PEM -out /usr/share/ca-certificates/extra/mitmproxyuser.crt
	sudo sh -c 'echo "extra/mitmproxyuser.crt" >> /etc/ca-certificates.conf'
	sudo update-ca-certificates
	sudo systemctl enable --now nftables.service
	fi

	prior_sysctl_values=$(/sbin/sysctl \
	net.ipv4.ip_forward \
	net.ipv6.conf.all.forwarding \
	net.ipv4.conf.all.send_redirects)
	cleanup () {
	sudo nft delete table ip mitm_ipv4
	sudo nft delete table ip6 mitm_ipv6
	echo "$prior_sysctl_values" \| sudo sysctl -qw --load -
	exit
	}
	trap cleanup EXIT

	sudo sysctl -qw net.ipv4.ip_forward=1
	sudo sysctl -qw net.ipv6.conf.all.forwarding=1
	sudo sysctl -qw net.ipv4.conf.all.send_redirects=0

	# "No matter what the documentation says, it appears that NAT statements can't
	# be in an "inet" table." https://bugzilla.netfilter.org/show_bug.cgi?id=1173
	sudo nft add table ip mitm_ipv4
	sudo nft add chain ip mitm_ipv4 c { type nat hook output priority 0 \; }
	sudo nft add rule ip mitm_ipv4 c skuid != mitmproxyuser tcp dport \
	{http, https} counter redirect to :8080
	sudo nft add table ip6 mitm_ipv6
	sudo nft add chain ip6 mitm_ipv6 c { type nat hook output priority 0 \; }
	sudo nft add rule ip6 mitm_ipv6 c skuid != mitmproxyuser tcp dport \
	{http, https} counter redirect to :8080

	sudo -u mitmproxyuser $command