Re: [qubes-users] IP Redirection to localhost in AppVM
Michael Strasser: > Hi! > > I have an AppVM (Standalone) in which I would like to redirect all (TCP) > traffic going to a specific IP address to localhost. I'm using the AppVM > for Malware Analysis, so I usually have no NetVM connected. I've tried a > few iptables commands that I found via web search, but none of them did > the trick. > > Could someone show me how to do this in Qubes 3.2? > > > Best regards, > > Michael > > IIUC you have malware in AppVM trying to connect to $badIP. You want to capture those packets in AppVM on port $monitorPort. Try: iptables -t nat -A OUTPUT -d $badIP -p tcp -j REDIRECT --to-port $monitorPort Add to rc.local if you want on reboot. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/cc4a653c-4f44-fe22-3746-d614f88085a3%40gmail.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] IP Redirection to localhost in AppVM
Thanks for the quick reply! And thanks for the heads up, but I know it won't modify it :) Best regards, Michael On 11/10/2017 10:53 PM, David Hobach wrote: > > > On 11/10/2017 10:40 PM, Michael Strasser wrote: >> Hi! >> >> I have an AppVM (Standalone) in which I would like to redirect all (TCP) >> traffic going to a specific IP address to localhost. I'm using the AppVM >> for Malware Analysis, so I usually have no NetVM connected. I've tried a >> few iptables commands that I found via web search, but none of them did >> the trick. >> >> Could someone show me how to do this in Qubes 3.2? > > DNAT. > > Check iptables -t nat -L -v -n for an example in your sys-firewall VM > (port 53). > > Anyway the malware can modify that - it's the same machine after all. > -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/c1ff6a33-c063-fcec-49ea-ecbf973e5442%40gmx.at. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] IP Redirection to localhost in AppVM
On 11/10/2017 10:40 PM, Michael Strasser wrote: Hi! I have an AppVM (Standalone) in which I would like to redirect all (TCP) traffic going to a specific IP address to localhost. I'm using the AppVM for Malware Analysis, so I usually have no NetVM connected. I've tried a few iptables commands that I found via web search, but none of them did the trick. Could someone show me how to do this in Qubes 3.2? DNAT. Check iptables -t nat -L -v -n for an example in your sys-firewall VM (port 53). Anyway the malware can modify that - it's the same machine after all. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/ccc5c2d7-041a-ae16-7c09-8ed253e6aa63%40hackingthe.net. For more options, visit https://groups.google.com/d/optout. smime.p7s Description: S/MIME Cryptographic Signature
[qubes-users] IP Redirection to localhost in AppVM
Hi! I have an AppVM (Standalone) in which I would like to redirect all (TCP) traffic going to a specific IP address to localhost. I'm using the AppVM for Malware Analysis, so I usually have no NetVM connected. I've tried a few iptables commands that I found via web search, but none of them did the trick. Could someone show me how to do this in Qubes 3.2? Best regards, Michael -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/b2a2b47c-a1db-bbf1-48ba-6d8a255d07b1%40gmx.at. For more options, visit https://groups.google.com/d/optout.
