# sslstrip on FreeBSD - Enabling NAT using ipfw



## quakerdoomer (Jan 9, 2012)

The below is an attempt to add a NAT to forward packets on port 80 to 10000

sslstrip requires four steps to be performed given in its README but the creator has sadly considered that everybody will be using only Linux, hence the directions.

I would like to run sslstrip under FreeBSD. 

The first requirement is to set the machine into forwarding mode:

```
#sysctl net.inet.ip.forwarding=1
```

Third step is to run sslstrip with its parameters.

Fourth step is to arpspoof (Can be done using arpspoof (dsniff package), other methods).

The second step was:


> ```
> "2) Setup iptables to intercept HTTP requests (as root):
> iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port <yourListenPort>"
> ```



For this, under FreeBSD shoudl the below suffice?

```
ipfw add 1000 fwd 127.0.0.1,80 tcp from any to me 10000
ipfw add 1000 fwd 192.168.<whatever_my_third_octet>.<whatever_my_fourth_octet>,80 tcp from any to me 10000
```
I tried it but by ipfw says :

```
"ipfw: getsockopt(IP_FW_ADD): Protocol not available"
```

Seems like 'ipf' is running instead. Any inputs?


----------



## RusDyr (Jan 13, 2012)

> ipfw add 1000 fwd 127.0.0.1,80 tcp from any to me 10000


This one would be enough.



> ```
> "ipfw: getsockopt(IP_FW_ADD): Protocol not available"
> ```
> Seems like 'ipf' is running instead. Any inputs?


No, it's just a seems you haven't got loaded ipfw module `# kldload -v ipfw` or/and haven't got a neccesary 
	
	



```
options IPFIREWALL_FORWARD
```
 string in your kernel config.


----------



## quakerdoomer (Jan 13, 2012)

```
kldload -v ipfw
Loaded ipfw, id=5
```

It did load. But blocks all. Will figure that out. Also will test sslstrip. Thanks RusDyr.


----------



## RusDyr (Jan 16, 2012)

Probably I should warning you about default deny policy, sorry.
It can be changed by command:
`# sysctl net.inet.ip.fw.default_to_accept=1`


----------



## quakerdoomer (Jan 18, 2012)

Thanks again. sysctl is quite a thing !


----------



## RusDyr (Jan 18, 2012)

[whisper] There is a "Thanks" button


----------



## quakerdoomer (Jan 19, 2012)

Oh yes. I just missed it this time. Thanks again.


----------

