sslstrip on FreeBSD - Enabling NAT using ipfw

[quakerdoomer]

The below is an attempt to add a NAT to forward packets on port 80 to 10000

sslstrip requires four steps to be performed given in its README but the creator has sadly considered that everybody will be using only Linux, hence the directions.

I would like to run sslstrip under FreeBSD.

The first requirement is to set the machine into forwarding mode:

#sysctl net.inet.ip.forwarding=1

Third step is to run sslstrip with its parameters.

Fourth step is to arpspoof (Can be done using arpspoof (dsniff package), other methods).

The second step was:

"2) Setup iptables to intercept HTTP requests (as root):
           iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port <yourListenPort>"

For this, under FreeBSD shoudl the below suffice?

ipfw add 1000 fwd 127.0.0.1,80 tcp from any to me 10000
ipfw add 1000 fwd 192.168.<whatever_my_third_octet>.<whatever_my_fourth_octet>,80 tcp from any to me 10000

I tried it but by ipfw says :

"ipfw: getsockopt(IP_FW_ADD): Protocol not available"

Seems like 'ipf' is running instead. Any inputs?

 

[RusDyr]

ipfw add 1000 fwd 127.0.0.1,80 tcp from any to me 10000

This one would be enough.

"ipfw: getsockopt(IP_FW_ADD): Protocol not available"

Seems like 'ipf' is running instead. Any inputs?

No, it's just a seems you haven't got loaded ipfw module # kldload -v ipfw or/and haven't got a neccesary

options IPFIREWALL_FORWARD

string in your kernel config.

 

[quakerdoomer]

kldload -v ipfw
Loaded ipfw, id=5

It did load. But blocks all. Will figure that out. Also will test sslstrip. Thanks RusDyr.

 

[RusDyr]

Probably I should warning you about default deny policy, sorry.
It can be changed by command:
# sysctl net.inet.ip.fw.default_to_accept=1

 

[quakerdoomer]

Thanks again. sysctl is quite a thing !

 

[RusDyr]

[whisper] There is a "Thanks" button

 

[quakerdoomer]

Oh yes. I just missed it this time. Thanks again.