Does anyone on the list have a recomendation as to how one might use iptables to redirect traffic to a honeypot? I have a few ideas, but I'd really like to hear from someone who has a solution they like (or even an idea they like). Thanks in advance. To clarify just a bit: I'd like to be able to redirect packets instead of dropping them. I'd also like to be able to do this as a catch-all rule at the end of my input and forward chains. The overall idea is to combine randomly dropping packets, tarpitting, and live honeypot responses (from different OS'es) in an effort to utterly stump recon efforts. In my head, I have visions of Linux boxes reporting they're running IIS 5 and Crays running (x app), etc. In my testing so far, I've found that combining randomly dropping packets and tarpitting to be extremely effective at slowing normal NMap scans. In some cases, scan time was increased to well over two hours. Now I'd like to introduce live ports into that mix. This way, a positive hit on a live port would not necessarily have to be one of my production boxes. In fact, it probably isn't... Thanks again, Bob
