Hi all,

the following circumstances are quite odd to me and refer to http://www.linuxforums.org/network/a...ntinued_6.html

I am trying to set up a honeyd on a machine using two interfaces: eth0 and eth1 (having the ip addresses 1.2.3.4 and 10.11.12.13). This is my setup of ip route:

1.2.3.0/24 dev eth0 proto kernel scope link src 1.2.3.4
10.11.12.0/24 dev eth1 proto kernel scope link src 10.11.12.13
default via 10.11.12.254 dev eth1

ip added a new rule, so my rules look like (ip rule)

0: from all lookup local
1000: from 1.2.3.4 lookup testnet
32766: from all lookup main
32767: from all lookup default

$ip route show table testnet
default via 1.2.3.254 dev eth0

This setup should do the following: Everything coming in via eth1 should be routed out via eth1 (using the default gateway) and everything coming in via eth0 looks up the testnet table and routes out via eth0 again.

Now this does work for every ping to 1.2.3.4 or 10.11.12.13.
I have a honeyd deployed to the interface 10.11.12.13. Now if I ping a virtual honeyd-computer having the IP 10.11.12.100 it should come in via eth1 (because arpd tells my pinging host the mac-address of the eth1 interface where honeyd is bound to) and go out via eth1, right? It does that so far, but the odd thing is that it doesn't do it correctly:

tcpdump output shows (100.100.100.100 being the host that sends the ping, i.e. echo req):

15:07:00.404708 IP 100.100.100.100 > 10.11.12.100: icmp 64: echo request seq 0
15:07:00.405047 IP 10.11.12.100 > 100.100.100.100: icmp 64: echo reply seq 0
15:07:01.406166 IP 100.100.100.100 > 10.11.12.100: icmp 64: echo request seq 1
15:07:01.406354 IP 10.11.12.100 > 100.100.100.100: icmp 64: echo reply seq 1
15:07:02.407138 IP 100.100.100.100 > 10.11.12.100: icmp 64: echo request seq 2
15:07:02.407322 IP 10.11.12.100 > 100.100.100.100: icmp 64: echo reply seq 2
15:07:03.404291 IP 10.11.12.13 > 100.100.100.100: icmp 92: host 10.11.12.100 unreachable
15:07:03.404320 IP 10.11.12.13 > 100.100.100.100: icmp 92: host 10.11.12.100 unreachable
15:07:03.404343 IP 10.11.12.13 > 100.100.100.100: icmp 92: host 10.11.12.100 unreachable

15:07:03.407767 IP 100.100.100.100 > 10.11.12.100: icmp 64: echo request seq 3
15:07:03.407999 IP 10.11.12.100 > 100.100.100.100: icmp 64: echo reply seq 3
15:07:04.409104 IP 100.100.100.100 > 10.11.12.100: icmp 64: echo request seq 4
15:07:04.409289 IP 10.11.12.100 > 100.100.100.100: icmp 64: echo reply seq 4
15:07:05.410058 IP 100.100.100.100 > 10.11.12.100: icmp 64: echo request seq 5
15:07:05.410268 IP 10.11.12.100 > 100.100.100.100: icmp 64: echo reply seq 5
15:07:06.406825 IP 10.11.12.13 > 100.100.100.100: icmp 92: host 10.11.12.100 unreachable
15:07:06.406851 IP 10.11.12.13 > 100.100.100.100: icmp 92: host 10.11.12.100 unreachable
15:07:06.406873 IP 10.11.12.13 > 100.100.100.100: icmp 92: host 10.11.12.100 unreachable


Can anyone explain that?!