I expanded on caladona's answer since I could not see response packets. For this example:
- On my local PC I have NIC's on different subnets, 192.168.1/24, 192.168.2/24
- There is an external router/PC that has access to both subnets.
- I want to send bi-directional traffic over the NICs on the local PC.
- The configuration requires two unused IP addresses for each subnet.
Local PC iptable routes are set to SNAT and DNAT outgoing traffic to the 'fake' IP.
iptables -t nat -A POSTROUTING -d 192.168.1.100 -s 192.168.2.0/24 -j SNAT --to-source 192.168.2.100
iptables -t nat -A PREROUTING -d 192.168.1.100 -i eth0 -j DNAT --to-destination 192.168.1.1
iptables -t nat -A POSTROUTING -d 192.168.2.100 -s 192.168.1.0/24 -j SNAT --to-source 192.168.1.100
iptables -t nat -A PREROUTING -d 192.168.2.100 -i eth1 -j DNAT --to-destination 192.168.2.1
The rules do the following:
- Rewrite 192.168.2.1 source to 192.168.2.100 on outgoing packets
- Rewrite 192.168.1.100 destination to 192.168.1.1 on incoming packets
- Rewrite 192.168.1.1 source to 192.168.1.100 on outgoing packets
- Rewrite 192.168.2.100 destination to 192.168.2.1 on incoming packets
To summarize, the local system now can talk to a 'virtual' machine with addresses 192.168.1.100 and 192.168.2.100.
Next you have to force your local PC to use the external router to reach your fake IP. You do this by creating a direct route to the IP's through via the router. You want to make sure that you force the packets onto the opposite of the destination subnet.
ip route 192.168.1.100 via $ROUTER_2_SUBNET_IP
ip route 192.168.2.100 via $ROUTER_1_SUBNET_IP
Finally to make this all work, the external router needs to know how to reach the faked IPs on your local PC. You can do thins by turning on proxy ARPs on for your system.
echo 1 | sudo tee /proc/sys/net/ipv4/conf/all/proxy_arp
echo 1 | sudo tee /proc/sys/net/ipv4/ip_forward
With this setup, you can now treat the fake IPs as a real system on your local PC. Sending data to .1 subnet will force packets out the .2 interface. Sending data to the .2 subnet will force packets out the .1 interface.
ping 192.168.1.100
ping 192.168.2.100
PREROUTING isn't used by the loopback interface, you need to also add an OUTPUT rule:
iptables -t nat -I PREROUTING -p tcp --dport 443 -j REDIRECT --to-ports 8080
iptables -t nat -I OUTPUT -p tcp -o lo --dport 443 -j REDIRECT --to-ports 8080
Best Answer
Burp doesn't look like an IPS designed to handle traffic forwarded directly to it, but you can do a port forward on windows with the
netsh interface portproxy
command. See MSDN for details and syntax.Caveat: this will only redirect traffic destined for the IP address of the computer on which you create the forward.
If instead you mean you want to configure the Burp service to be a transparent proxy for the entire network and you are using RRAS as your router, you are out of luck. There is not a built in capability to do
iptables
style routing in RRAS, but there are several third party solutions available. Markus claims SoftPerfect Bandwidth Manager may fit the bill.The classical forced proxy config for a windows network is just to use group policy to push the appropriate settings, but that has its obvious limitations.