aio-gw
[EXPERIMENTAL]: All-in-one Network Gateway for Malware analysis. currently at Alpha stage.
HELP NEEDED: if you're keen to contribute to aio-gw
, ping me! Lots to be done :)
TODO:
- settings page does not have a way to fetch and save data
- admin page does not have authentication support
- settings enforcement outside the management component is not done
- outbound options as well as option fields in html are not working
requirements
A clean VM with podman
2.0+ installed. Since AIO-GW works with nftables
, any iptables
installation with nat
table configured will conflict, hence docker
is not supported
I tested this with Alpine 3.14 and ran the following commands to get the required packages installed and running:
apk add podman
service podman start
rc-service cgroups start
rc-update add cgroups default
Ideally, the VM needs two network intefaces, one for incoming connections, one for outgoing. aio-gw
will try to set itself up according to current routing table.
enable VM's IP forwarding:
sudo sysctl net.ipv4.ip_forward=1
sudo sysctl net.ipv6.conf.all.forwarding=1
Default containers running
- Elasticsearch: acts as the main storage backend
- Arkime: packet capture indexing tool
- PolarProxy: performs MITM and pushes the intercepted sessions via pcap-over-ip protocol to Arkime
Troubleshoot
- delete
nft
tables:
nft delete table nat
nft delete table ip6 nat
- delete rules:
nft flush ruleset
- list table rules:
nft list table nat
nft list table ip6 nat
nft list ruleset
- adding postrouting masquarade:
nft 'add chain nat postrouting { type nat hook postrouting priority 100 ; }'
nft add rule nat postrouting masquerade
- create table
nft add table nat
nft 'add chain nat prerouting { type nat hook prerouting priority -100 ; }'
- sample forwarding rule
nft 'add rule nat prerouting tcp dport 443 counter dnat :10443'