The IP Address of The Attacker is not Detected in the Honeypot After Being Forwarded

rama12345 · 08-06-2020, 05:32 AM

have a problem with my project. My project is how to deflect the attacker to the honeypot. I tried using the IPTables to forward any IP Address that want to access the protected network to the honeypot IP Address..

In this case I have 3 IP Address.. a. 192.168.43.42 --> It's a Honeypot b. 192.168.43.216 --> It's a Protected Network/System c. 192.168.43.156 --> It's a Attacker

I tried to configure the IPTables like this.. The honeypot that I used is a Kippo SSH. That's why the port is 22

(This command is implented in the protected system --> 192.168.43.216)

#echo "1" > /proc/sys/net/ipv4/ip_forward
#iptables -t nat -A PREROUTING -p tcp --dport 22 -j DNAT --to-destination 192.168.43.42
#iptables -t nat -A POSTROUTING -j MASQUERADE

After I tried that, the honeypot can detect the attacker!

But, the IP Address that are detected in the honeypot is the IP Address of the Protected System, not the IP Address of the Attackers. It looks like the protected system is attacking itself ..

Do you know how to show the IP Address of the Attackers? not the IP Address that has the Firewall (Protected System)..

Thank you!

TenTenths · 08-06-2020, 05:39 AM

You need to NOT use NAT on the IPTables forwarder, you need to just forward the traffic without doing any form of NAT inbound.

rama12345 · 08-06-2020, 06:59 AM

Thank you for your answer, I really apreciate it..

And I'm sorry because I'm new in here. I'm sorry if there's something bad or wrong in my question

It means what should I do is do this command?

#iptables -t nat -A PREROUTING -p tcp --dport 22 -j --to-destination 192.168.43.42

rama12345 · 08-06-2020, 08:23 AM

Quote:

Originally Posted by TenTenths

You need to NOT use NAT on the IPTables forwarder, you need to just forward the traffic without doing any form of NAT inbound.

Thank you for your answer, I really apreciate it..

And I'm sorry because I'm new in here. I'm sorry if there's something bad or wrong in my question

It means what should I do is do this command?

#iptables -t nat -A PREROUTING -p tcp --dport 22 -j --to-destination 192.168.43.42

TenTenths · 08-06-2020, 09:47 AM

Read this: https://unix.stackexchange.com/quest...ip-without-nat specifically near the end where the user removes their MASQUERADE rule

rama12345 · 08-06-2020, 11:46 AM

Quote:

Originally Posted by TenTenths

Read this: https://unix.stackexchange.com/quest...ip-without-nat specifically near the end where the user removes their MASQUERADE rule

Ahhh I seee, thanks for your helpp!! I really apreciate it

rama12345 · 08-07-2020, 04:04 AM

Quote:

Originally Posted by TenTenths

Read this: https://unix.stackexchange.com/quest...ip-without-nat specifically near the end where the user removes their MASQUERADE rule

found
Hello, when I tried that, it's same ;(( I really need helpp