I am trying to run Mitmdump and the Sslstrip2 together but they are not working together.
Whereas they're both need to listen port 80, I forwarded both applications to unic ports, like following ;
For SSLStrip preperation-->
iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port 9090
For Mitmdump preperation -->
iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port 8080
--Then I activated both of those applications ;
#Arp poisoning is active in this proccess.
1-) python sslstrip.py -l 9090 #Set this up to 9090, because following mitmdump listeneris default of 8080.
2-) ./mitmdump --mode transparent --modify-body :~s:"":"alert("hi");"
Problem is, they work seperately, but while co-execution just one of them working.
I need to be able to use mitmdump while hsts, https is hijacked successfully.
Related
I am trying to receive data on port 443 and forward that to my coturn server listening to port 5349.
I want this set up so that my webRTC app can connect over 443 but without my coturn server having root access(for privilege port 443).
In my /etc/ufw/before.rules I have below entries
*nat
:PREROUTING ACCEPT [0:0]
-A PREROUTING -p tcp --dport 443 -j REDIRECT --to-port 5349
COMMIT
When I test my turn setup at https://test.webrtc.org/ using 443 port I get:
Udp disabled
Relay connectivity timed out
Reflexive connectivity timed out
But using using port 5349 it seems to work.
I have all needed ports open in ufw. I tried with ufw disabled too.
Do I need to add any other changes for port forwarding like adding entry OUTPUT(which I don't know how to add, though).
Do I need to add the rule entry for IPv6 too (/etc/ufw/before6.rules)?
I added these to the before.rules file
*nat
:PREROUTING ACCEPT [0:0]
-A PREROUTING -p tcp --dport 443 -j REDIRECT --to-port 5349
-A PREROUTING -p udp --dport 443 -j REDIRECT --to-port 5349
:OUTPUT ACCEPT [0:0]
-A OUTPUT -o lo -p tcp --dport 443 -j REDIRECT --to-port 5349
-A OUTPUT -o lo -p udp --dport 443 -j REDIRECT --to-port 5349
COMMIT
I am not sure if it is ok. But at the moment this seems to work. I am still open for suggestion. Please give me suggestions to improve what I have done so far
I need to set up access to the HTTP(S) servers on devices like KVMs and PDUs on a private network (192.168.0.0/24). I must get through an isolated network (10.0.0.0/8) limited to ports 22 and 443. I have a dual-NIC Linux server inside the network that serves as a gateway to the private network. See diagram Here:
Network Diagram
I need to use a forward SSH tunnel to get to the Linux gateway, then use iptables NAT to route HTTP(s) traffic to the web frontends on the devices.
I've observed with both tcpdump and iptables trace that the inbound HTTP(s) request through the SSH tunnel shows up on interface lo , not eth1 as one might expect.
This has led me to come up with the following nat and filter rules:
*nat
-A PREROUTING -i lo -p tcp -m tcp --dport 8080 -j DNAT --to-destination 192.168.0.100:80
-A PREROUTING -i lo -p tcp -m tcp --dport 8081 -j DNAT --to-destination 192.168.0.101:443
-A POSTROUTING -d 10.0.0.0/8 -o lo -j SNAT --to-source <10.gateway_IP>
COMMIT
*filter
:INPUT ACCEPT [37234:5557621]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [26648:27864039]
-A FORWARD -d 192.168.0.0/24 -p tcp -m tcp --dport 80 -j ACCEPT
-A FORWARD -d 192.168.0.0/24 -p tcp -m tcp --dport 443 -j ACCEPT
COMMIT
So, when I set up the tunnel with:
ssh -L 8080:<gateway>:8080 <user>:#<gateway>
Then making sure on the gateway:
$ sysctl net.ipv4.ip_forward
net.ipv4.ip_forward = 1
and then execute http://localhost:8080,
The packets make it out of the tunnel onto the gateway, out of interface lo, but iptables doesn't seem to forward it to the destination in the PREROUTING rule. stderr from the tunnel returns "Connection refused."
What am I missing?
Host A has https service serviceA and provides two IP for high availability。
e.g. Bose [ip1:443] and [ip2:443] are routed to the serviceA.
Host B (do not has ssl_certificate and ssl_certificate_key) use Nginx proxy module to proxies the requests towards the actual serviceA.
How to simply forward 443 port traffic to serviceA without ssl verification?
Here is my config:
http {
upstream backend {
server [ip1]:443;
server [ip2]:443;
}
server {
listen 443;
listen [::]:443;
location / {
proxy_pass https://backend;
}
}
}
There're two theoretically possible ways to solve your issue:
Nginx with ngx_stream_ssl_preread module
HAproxy (for balancing) -> proxy_protocol -> Nginx (with ssl certs)
Try:
ip6tables -t nat -A PREROUTING -d 2002:xxxx:9a21::1/128 -i sit6to4vip -p tcp --dport 443 -m statistic --mode random --probability .5 -j DNAT --to-destination 2002:xxxx:f6ea::1
ip6tables -t nat -A PREROUTING -d 2002:xxxx:9a21::1/128 -i sit6to4vip -p tcp --dport 443 -m statistic --mode random --probability .5 -j DNAT --to-destination 2002:xxxx:f6e9::1
ip6tables -t nat -A POSTROUTING -d 2002:xxxx:f6ea::1/128 -o sit6to4vip -p tcp --dport 443 -j SNAT --to-source 2002:xxxx:9a21::1
ip6tables -t nat -A POSTROUTING -d 2002:xxxx:f6e9::1/128 -o sit6to4vip -p tcp --dport 443 -j SNAT --to-source 2002:xxxx:9a21::1
It does't work
I can set iptables rules to prevent external connection. But can we use iptables to prevent internal connection? For example, I have set iptables to prevent port 5555 port on my machine, but my local APP can still connect with 5555 when running on my machine.
Yes you can block it using iptables.
iptables -A INPUT -d 127.0.0.1 -p tcp --dport 5555 -j DROP
With this command you'll not be able to connect from your own host to your own service. Then you can remove the rule using the opposite to -A append which is -D delete:
iptables -D INPUT -d 127.0.0.1 -p tcp --dport 5555 -j DROP
Hope it helps.
Depends upon how you are blocking the port 5555, if you have a specific INPUT rule with interface and source and/or destination addresses it would match only those. In your case, you could modify your rule to just match tcp destination port 5555 and it will block all packets to tcp destination port 5555. for eg:
iptables -t filter -I INPUT -p tcp --dport 5555 -j DROP
If you just want to block your internal apps and not touch your existing iptables rule then use the incoming interface as lo for eg:
iptables -t filter -I INPUT -i lo -p tcp --dport 5555 -j DROP
Note: If you are using destination ip then use the entire loopback address range rather than just 127.0.0.1 for eg:
iptables -t filter -I INPUT -d 127.0.0.0/8 -p tcp --dport 5555 -j DROP
Before you do any changes you can instead of -j DROP action use -j LOG action to log and confirm the tcp connections this rule will match. You could also skip the action part without specifying the -j option and check how many packets would match your rule with iptables -t filter -L -n -v without causing any harm.
I have an apache webservice running on port 8080 but would like to be able to connect on port 80. However, my unix sysadmin does not allow apache to be started as root nor does she provide access to sudo.
However, she will execute commands on request.
I believe this can be achieved with iptables. Is there a way to map port 80 to 8080 and 443 to 8083 without this sysadmin having to edit any files.
i.e. just using echo with appender >>.
She can do this by running :
iptables -t nat -I PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 8080
iptables -t nat -I PREROUTING -i eth0 -p tcp --dport 443 -j REDIRECT --to-port 8083
This will make redirection active immediately, but doesn't save it and thus it will not work anymore after a reboot.
It is possible to do this without editing any file at all by using iptables-save. But it depends which linux flavor you're running, and if you use ferm, ufw, or some other firewall management tools.
On RedHat/CentOS, she could just do :
iptables -t nat -I PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 8080
iptables -t nat -I PREROUTING -i eth0 -p tcp --dport 443 -j REDIRECT --to-port 8083
iptables-save > /etc/sysconfig/iptables
On other OSes variants, YMMV !