Honeyd Networking on Linux
Normaly, i.e. on a cisco router, you would just do a
ip route 192.168.0.0 255.255.0.0 192.168.0.1
If i try to add a route to my local subnet the honeynet host answers every ping with an additional icmp redirected package and does not show valid traceroutes.
As far as i understand honeyd arp features they are only intended for mixed networks, meaning networks which contain valid hosts too. In my expirements honeyd arp would not work well with honeynets. The arp daemon excludes the host system from arp faking. This behaviour was disturbing all my efforts to run honeyd on a tap interface and add a route to this interface for the honeynet range.
So i had to do bridging. (why do i always have to do bridging??)
My home network is 10.2.2.0/24 The honeynet is 192.168.0.0/24
The router forwards packets to the honeynet machine. In case of a linux router the following worked for me.
ifconfig eth0 down ifconfig eth1 down brctl addbr br0 # Setup bridging brctl addif br0 eth0 # client network brctl addif br0 eth1 # honeynet network ifconfig br0 up ip a add 10.2.2.6/24 dev br0 # ip so i can administer the bridge # is needed so i can set routes (whatever) ip ro add 10.2.2.0/24 dev br0 # route to local net ip ro add 192.168.0.0/16 dev br0 # route to honey net
The bridge should take care of packets.
ip a add 10.2.2.10/24 dev eth0 ip ro add default dev eth0
Setup basic networking
ip a add 192.168.0.1/24 dev eth0 ip ro add default dev eth0
This is my honeyd.conf
route entry 192.168.0.1 route 192.168.0.1 add net 192.168.4.0/24 192.168.4.1 latency 7ms loss 0.5 route 192.168.4.1 link 192.168.4.0/24
And the honeyd options
/usr/bin/honeyd -i eth0 192.168.0.0/16
The honeynet is 10.0.0.0/8
ip ro add 10.0.0.0/8 dev lo
little change to honeyd for traceroute needed
route entry 10.0.0.1 +route 10.0.0.1 link 10.0.0.0/24
/usr/bin/honeyd -i lo 10.0.0.0/8