hello all, this is the first question in this forum, and i wish to have an good answer to my problem.

what i am trying to do is to redirect all the traffic which is sourced from
suspicious IP into a honeypot machine, and this honeyd machine (other computer)
will continue the interaction with the attacker, the attacker thinks that
he/she interacts with the first machine, but actually the honeypot is the one
who interacts with attacker.

to to make this in the real world i decided to use iptables,
and i am new user of this great tool, but i tried to finish my work by
using these commands (i work in ubuntu 10.10 the last version):

first i changed this file /etc/sysctl.conf to :

#
# /etc/sysctl.conf - Configuration file for setting system variables
# See /etc/sysctl.d/ for additional system variables.
# See sysctl.conf (5) for information.
#

#kernel.domainname = example.com

# Uncomment the following to stop low-level messages on console
#kernel.printk = 3 4 1 3

##############################################################3
# Functions previously found in netbase
#

# Uncomment the next two lines to enable Spoof protection (reverse-path filter)
# Turn on Source Address Verification in all interfaces to
# prevent some spoofing attacks
#net.ipv4.conf.default.rp_filter=1
#net.ipv4.conf.all.rp_filter=1

# Uncomment the next line to enable TCP/IP SYN cookies
# See http://lwn.net/Articles/277146/
# Note: This may impact IPv6 TCP sessions too
#net.ipv4.tcp_syncookies=1

# Uncomment the next line to enable packet forwarding for IPv4
net.ipv4.ip_forward=1

# Uncomment the next line to enable packet forwarding for IPv6
# Enabling this option disables Stateless Address Autoconfiguration
# based on Router Advertisements for this host
net.ipv6.conf.all.forwarding=1


###################################################################
# Additional settings - these settings can improve the network
# security of the host and prevent against some network attacks
# including spoofing attacks and man in the middle attacks through
# redirection. Some network environments, however, require that these
# settings are disabled so review and enable them as needed.
#
# Do not accept ICMP redirects (prevent MITM attacks)
net.ipv4.conf.all.accept_redirects = 1
net.ipv6.conf.all.accept_redirects = 1
# _or_
# Accept ICMP redirects only for gateways listed in our default
# gateway list (enabled by default)
#net.ipv4.conf.all.secure_redirects = 1
#
##Do not send ICMP redirects (we are not a router)
net.ipv4.conf.all.send_redirects = 1
#
# Do not accept IP source route packets (we are not a router)
net.ipv4.conf.all.accept_source_route = 1
net.ipv6.conf.all.accept_source_route = 1
#
# Log Martian Packets
#net.ipv4.conf.all.log_martians = 1
#

---------------------------------------

this was my sysctl.conf.

Now let me demonstrates the topology of my network:
my gateway is 192.168.0.1
host A - contains iptables with ip 192.168.0.2
host B - contains honeyd with ip 192.168.0.3
host c - the attacker machine with ip 192.168.0.4

i applied this rule to host A:
iptables -t nat -A PREROUTING -p all -i eth0 -s 192.168.0.4 -j DNAT --to-destination 192.168.0.3

i tried to ping host A from host C which's the attacker pc
this ICMP packet should be redirected to host B according to previous rule i applied
and i am using sniffer at host B, but no any ICMP packet occurred at host B.

thanks in advance

Both ip_forward and the prerouting takes are for routed traffic, but you aren't routing any traffic, as it's all in the same subnet, so nothing you're doing is relevant to your requirements. Your need to apply the dnat to the standard input table instead. You'd also need tui nat the source address too, otherwise you'll be getting asymmetric traffic, and your 'attacker' will get replies from the wrong address.

I how this is suitable for being deemed as a good answer as you requested.

Hello acid_kewpie

I know that I need to postrouting to prevent the attacker to receive the response with wrong source
But up to know I am concentrate on the prerouting as first stage

Also in the previous scenario the ping packets was my traffic, and yes it is
In the same subnet, will I have any problem with that?

Thanks for your answer but I need full iptables commands for prerouting and postrouting
to made the previous scenario to work, also any related change I need to make please tell me

Thanks and waiting for the right answer

A above you are not routing, so you are not going to use the prerouting table at all. You need typ understand this. You'll only use prerouting if the machine received a packet with it's correct mac address but with an ip of a different machine, and that's not happening here.

yes that might be what happening, but if you may suggest another applicable
scenario with 3 hosts and one gateway ( for sorry it's ADSL modem )

thanks alot