Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Dynamic two way NAT?

    Scheduled Pinned Locked Moved NAT
    3 Posts 1 Posters 783 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A
      andreas_at_work
      last edited by

      Hey,

      we would like analyze the networking behaviour of some malware within a self created sandbox. We want to forward any outgoing connection of the sandbox to a analyzing system. For this use case i have created a NAT rule which forward any tcp/udp request to one specific destination:

      Systems in the environment are:
      pfSense => 192.168.0.1
      Sandbox => 192.168.1.1
      Analyzing System => 192.168.2.1

      This works so far. Any connection attempt from the sandbox (192.168.1.1) reaches the analyzing system (192.168.2.1). Thats fine…

      Now we would like to fake some services on the analyzing system to get even more information about networking behaviour. That does not work because the SRC IP of the response is 192.168.2.1 instead the ip which was initially requested. We don't know which IP and port is going to be requested by the malware.

      Do you have any idea how to solve the problem?

      Thank you
      Andreas

      1 Reply Last reply Reply Quote 0
      • A
        andreas_at_work
        last edited by

        Any alternatives are welcome ;)

        1 Reply Last reply Reply Quote 0
        • A
          andreas_at_work
          last edited by

          problem "solved". I have changed the default gateway on the sandbox to the ip of our analyzing system and added the following iptables rule:

          iptables -t nat -A PREROUTING -s sandbox_ip ! -d analyzing_ip -p tcp -m tcp –dport specific_port -j DNAT --to-destination analyzing_ip

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.