hello all, this is the first question in this forum, and i wish to have an good answer to my problem.
what i am trying to do is to redirect all the traffic which is sourced from
suspicious IP into a honeypot machine, and this honeyd machine (other computer)
will continue the interaction with the attacker, the attacker thinks that
he/she interacts with the first machine, but actually the honeypot is the one
who interacts with attacker.
to to make this in the real world i decided to use iptables,
and i am new user of this great tool, but i tried to finish my work by
using these commands (i work in ubuntu 10.10 the last version):
first i changed this file /etc/sysctl.conf to :
#
# /etc/sysctl.conf - Configuration file for setting system variables
# See /etc/sysctl.d/ for additional system variables.
# See sysctl.conf (5) for information.
#
#kernel.domainname = example.com
# Uncomment the following to stop low-level messages on console
#kernel.printk = 3 4 1 3
##############################################################3
# Functions previously found in netbase
#
# Uncomment the next two lines to enable Spoof protection (reverse-path filter)
# Turn on Source Address Verification in all interfaces to
# prevent some spoofing attacks
#net.ipv4.conf.default.rp_filter=1
#net.ipv4.conf.all.rp_filter=1
# Uncomment the next line to enable TCP/IP SYN cookies
# See
http://lwn.net/Articles/277146/
# Note: This may impact IPv6 TCP sessions too
#net.ipv4.tcp_syncookies=1
# Uncomment the next line to enable packet forwarding for IPv4
net.ipv4.ip_forward=1
# Uncomment the next line to enable packet forwarding for IPv6
# Enabling this option disables Stateless Address Autoconfiguration
# based on Router Advertisements for this host
net.ipv6.conf.all.forwarding=1
###################################################################
# Additional settings - these settings can improve the network
# security of the host and prevent against some network attacks
# including spoofing attacks and man in the middle attacks through
# redirection. Some network environments, however, require that these
# settings are disabled so review and enable them as needed.
#
# Do not accept ICMP redirects (prevent MITM attacks)
net.ipv4.conf.all.accept_redirects = 1
net.ipv6.conf.all.accept_redirects = 1
# _or_
# Accept ICMP redirects only for gateways listed in our default
# gateway list (enabled by default)
#net.ipv4.conf.all.secure_redirects = 1
#
##Do not send ICMP redirects (we are not a router)
net.ipv4.conf.all.send_redirects = 1
#
# Do not accept IP source route packets (we are not a router)
net.ipv4.conf.all.accept_source_route = 1
net.ipv6.conf.all.accept_source_route = 1
#
# Log Martian Packets
#net.ipv4.conf.all.log_martians = 1
#
---------------------------------------
this was my sysctl.conf.
Now let me demonstrates the topology of my network:
my gateway is 192.168.0.1
host A - contains iptables with ip 192.168.0.2
host B - contains honeyd with ip 192.168.0.3
host c - the attacker machine with ip 192.168.0.4
i applied this rule to host A:
iptables -t nat -A PREROUTING -p all -i eth0 -s 192.168.0.4 -j DNAT --to-destination 192.168.0.3
i tried to ping host A from host C which's the attacker pc
this ICMP packet should be redirected to host B according to previous rule i applied
and i am using sniffer at host B, but no any ICMP packet occurred at host B.
thanks in advance