Dynamic two way NAT?



  • Hey,

    we would like analyze the networking behaviour of some malware within a self created sandbox. We want to forward any outgoing connection of the sandbox to a analyzing system. For this use case i have created a NAT rule which forward any tcp/udp request to one specific destination:

    Systems in the environment are:
    pfSense => 192.168.0.1
    Sandbox => 192.168.1.1
    Analyzing System => 192.168.2.1

    This works so far. Any connection attempt from the sandbox (192.168.1.1) reaches the analyzing system (192.168.2.1). Thats fine…

    Now we would like to fake some services on the analyzing system to get even more information about networking behaviour. That does not work because the SRC IP of the response is 192.168.2.1 instead the ip which was initially requested. We don't know which IP and port is going to be requested by the malware.

    Do you have any idea how to solve the problem?

    Thank you
    Andreas



  • Any alternatives are welcome ;)



  • problem "solved". I have changed the default gateway on the sandbox to the ip of our analyzing system and added the following iptables rule:

    iptables -t nat -A PREROUTING -s sandbox_ip ! -d analyzing_ip -p tcp -m tcp –dport specific_port -j DNAT --to-destination analyzing_ip