feat: Build Honeywall-Traffic Router

docs/honeywall-verification.md

@@ -0,0 +1,100 @@
+# Honeywall Verification Guide
+
+## 🎯 Issue #20: Build Honeywall - Intelligent Traffic Router
+
+### Changes Made
+
+1. **Honeywall Gateway Instance**
+   - Traffic inspection and analysis
+   - Protocol-specific attack detection
+   - Dynamic routing decisions
+   - Real-time threat intelligence
+
+2. **Traffic Classification Engine**
+   - Suspicious pattern detection
+   - Legitimate user identification
+   - Reputation-based routing
+   - Rate limiting and protection
+
+3. **Security Architecture**
+   - Network isolation for honeypots
+   - NAT-based traffic forwarding
+   - iptables rule management
+   - GeoIP enrichment for attack analysis
+
+### Deployment Steps
+
+1. **Deploy Honeywall Infrastructure**
+   ```bash
+   cd infrastructure/terraform
+   terraform apply -var="create_honeywall=true"
+   ```
+
+2. **Verify Honeywall Status**
+   ```bash
+   # Get honeywall IP
+   terraform output honeywall_public_ip
+
+   # Check service status
+   ssh -i ~/.ssh/key.pem ec2-user@<HONEYWALL_IP>
+   sudo systemctl status honeywall
+   ```
+
+3. **Test Traffic Routing**
+   ```bash
+   # Test suspicious traffic (should route to honeypot)
+   ssh root@<HONEYWALL_IP> -p 2222
+
+   # Check routing logs
+   sudo tail -f /var/log/honeywall/honeywall.log
+   ```
+
+4. **Verify Network Isolation**
+   ```bash
+   # Honeypot should only be accessible via honeywall
+   nmap -p 2222 <HONEYPOT_PRIVATE_IP>  # Should fail
+   nmap -p 2222 <HONEYWALL_IP>         # Should succeed
+   ```
+
+### Expected Results
+
+- Suspicious traffic automatically routes to honeypots
+- Legitimate traffic passes through normally
+- Attack patterns are logged and analyzed
+- Geographic attack data is collected
+- Rate limiting prevents abuse
+
+### Success Criteria
+
+- ✅ Honeywall analyzes all incoming traffic
+- ✅ Suspicious connections route to honeypots
+- ✅ Legitimate traffic passes normally
+- ✅ Attack patterns are logged with GeoIP data
+- ✅ Rate limiting prevents DoS attacks
+- ✅ Honeypots are isolated from direct access
+
+### Traffic Classification Logic
+
+```
+Incoming Traffic Analysis:
+├── Suspicious Pattern → Route to Honeypot
+├── Legitimate User → Route to Real System  
+├── Unknown Traffic → Route to Decoy
+└── Rate Limited → Block/Drop
+```
+
+### Protocol Analysis
+
+- **SSH**: Detect brute force, credential stuffing
+- **Telnet**: Identify automated attacks
+- **HTTP**: Spot SQL injection, web attacks
+- **FTP**: Monitor file transfer attempts
+
+### Security Benefits
+
+- **Active Defense**: Routes attackers to deception environments
+- **Network Protection**: Isolates real systems from direct exposure
+- **Threat Intelligence**: Collects attack patterns and attribution
+- **Automated Response**: Dynamic routing based on threat analysis
+
+This creates an intelligent defense layer that actively protects and deceives attackers.

infrastructure/terraform/modules/honeywall/config/iptables-rules.sh

@@ -0,0 +1,30 @@
+#!/bin/bash
+# Honeywall iptables configuration
+
+# Enable IP forwarding
+echo 1 > /proc/sys/net/ipv4/ip_forward
+
+# Clear existing rules
+iptables -F
+iptables -t nat -F
+iptables -t mangle -F
+
+# Default policies
+iptables -P INPUT ACCEPT
+iptables -P FORWARD ACCEPT
+iptables -P OUTPUT ACCEPT
+
+# NAT for honeypot traffic
+iptables -t nat -A PREROUTING -p tcp --dport 2222 -j DNAT --to-destination ${HONEYPOT_PRIVATE_IP}:2222
+iptables -t nat -A PREROUTING -p tcp --dport 2223 -j DNAT --to-destination ${HONEYPOT_PRIVATE_IP}:2223
+
+# Log suspicious traffic
+iptables -A FORWARD -p tcp --dport 22 -j LOG --log-prefix "SUSPICIOUS_SSH: "
+iptables -A FORWARD -p tcp --dport 23 -j LOG --log-prefix "SUSPICIOUS_TELNET: "
+
+# Rate limiting
+iptables -A INPUT -p tcp --dport 22 -m limit --limit 10/minute --limit-burst 5 -j ACCEPT
+iptables -A INPUT -p tcp --dport 22 -j DROP
+
+# Save rules
+iptables-save > /etc/iptables/rules.v4

infrastructure/terraform/modules/honeywall/config/legitimate_ips.txt

@@ -0,0 +1,10 @@
+# Legitimate IP ranges for honeywall
+# Add your trusted IP ranges here
+# Format: IP/CIDR (one per line)
+
+# Example corporate networks
+# 192.168.1.0/24
+# 10.0.0.0/8
+# 172.16.0.0/12
+
+# Add your specific trusted IPs below

infrastructure/terraform/modules/honeywall/main.tf

@@ -0,0 +1,93 @@
+# Honeywall Gateway Instance
+resource "aws_instance" "honeywall" {
+  ami           = var.ami_id
+  instance_type = var.instance_type
+  key_name      = var.key_name
+  subnet_id     = var.subnet_id
+
+  vpc_security_group_ids = [aws_security_group.honeywall_sg.id]
+  associate_public_ip_address = true
+  user_data      = templatefile("${path.module}/user_data.sh", {
+    elasticsearch_endpoint = var.elasticsearch_endpoint
+    logstash_endpoint      = var.logstash_endpoint
+  })
+
+  tags = merge(var.tags, {
+    Name = "honeynet-honeywall"
+  })
+}
+
+# Security Group for Honeywall
+resource "aws_security_group" "honeywall_sg" {
+  name        = "honeywall-sg"
+  description = "Security group for Honeywall gateway"
+  vpc_id      = var.vpc_id
+
+  # Allow all incoming traffic for inspection
+  ingress {
+    description = "Allow all traffic for inspection"
+    from_port   = 0
+    to_port     = 0
+    protocol    = "-1"
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+
+  # Allow all outbound traffic
+  egress {
+    description = "Allow all outbound traffic"
+    from_port   = 0
+    to_port     = 0
+    protocol    = "-1"
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+
+  tags = {
+    Name = "honeywall-sg"
+  }
+}
+
+# Network Interface for Honeypot Backend
+resource "aws_network_interface" "honeypot_backend" {
+  subnet_id       = var.subnet_id
+  private_ips     = [var.honeypot_private_ip]
+  security_groups = [aws_security_group.honeypot_backend_sg.id]
+
+  tags = {
+    Name = "honeypot-backend-nic"
+  }
+}
+
+# Security Group for Honeypot Backend Network
+resource "aws_security_group" "honeypot_backend_sg" {
+  name        = "honeypot-backend-sg"
+  description = "Security group for honeypot backend network"
+  vpc_id      = var.vpc_id
+
+  # Only allow traffic from honeywall
+  ingress {
+    description = "Allow traffic from honeywall only"
+    from_port   = 0
+    to_port     = 0
+    protocol    = "-1"
+    security_groups = [aws_security_group.honeywall_sg.id]
+  }
+
+  egress {
+    description = "Allow all outbound traffic"
+    from_port   = 0
+    to_port     = 0
+    protocol    = "-1"
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+
+  tags = {
+    Name = "honeypot-backend-sg"
+  }
+}
+
+# Attach network interface to honeypot instance
+resource "aws_network_interface_attachment" "honeypot_attachment" {
+  instance_id          = var.honeypot_instance_id
+  network_interface_id = aws_network_interface.honeypot_backend.id
+  device_index         = 1
+}

infrastructure/terraform/modules/honeywall/outputs.tf

@@ -0,0 +1,19 @@
+output "honeywall_public_ip" {
+  description = "Public IP address of Honeywall"
+  value       = aws_instance.honeywall.public_ip
+}
+
+output "honeywall_private_ip" {
+  description = "Private IP address of Honeywall"
+  value       = aws_instance.honeywall.private_ip
+}
+
+output "honeywall_id" {
+  description = "Instance ID of Honeywall"
+  value       = aws_instance.honeywall.id
+}
+
+output "honeypot_backend_ip" {
+  description = "Private IP of honeypot backend network"
+  value       = aws_network_interface.honeypot_backend.private_ip
+}