The Official Site of David Guest

Rewriting IP addresses for sandboxing

There’s plenty of ways to do sandboxing for malware analysis. Say you want to use your own custom set-up, and specifically just want to rewrite the IP headers so that you can capture the outbound traffic to analyse or do ‘things’ to it. Any version of Linux can do this for you really simply:

iptables -t nat -A PREROUTING -I ens33 -j DNAT --to <new ip>

There is a really important consideration here – the traffic must originate on another system. This is because PREROUTING happens on ingress to the network card; if the traffic originates on the same system no modifications to the packet will occur. My recommendation is that the ‘rewriting’ box is a set-up as router and that the sending system uses this as it’s default gateway.

Happy rewriting.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.