summaryrefslogtreecommitdiffstats
path: root/package/iptables/patches/009-tarpit-support.patch
blob: 31053798778792fe87e32d02ae0f291d68f52a42 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
diff -N -u -r iptables-1.3.8-20070817/extensions/libipt_TARPIT.c iptables-1.3.8-20070817-nf/extensions/libipt_TARPIT.c
--- iptables-1.3.8-20070817/extensions/libipt_TARPIT.c	1969-12-31 19:00:00.000000000 -0500
+++ iptables-1.3.8-20070817-nf/extensions/libipt_TARPIT.c	2007-08-18 14:49:25.000000000 -0400
@@ -0,0 +1,58 @@
+/* Shared library add-on to iptables for TARPIT support */
+#include <stdio.h>
+#include <getopt.h>
+#include <iptables.h>
+
+static void
+help(void)
+{
+	fputs(
+"TARPIT takes no options\n"
+"\n", stdout);
+}
+
+static struct option opts[] = {
+	{ 0 }
+};
+
+static int
+parse(int c, char **argv, int invert, unsigned int *flags,
+      const struct ipt_entry *entry,
+      struct ipt_entry_target **target)
+{
+	return 0;
+}
+
+static void final_check(unsigned int flags)
+{
+}
+
+static void
+print(const struct ipt_ip *ip,
+      const struct ipt_entry_target *target,
+      int numeric)
+{
+}
+
+static void save(const struct ipt_ip *ip, const struct ipt_entry_target *target)
+{
+}
+
+static struct iptables_target tarpit = {
+	.next		= NULL,
+	.name		= "TARPIT",
+	.version	= IPTABLES_VERSION,
+	.size		= IPT_ALIGN(0),
+	.userspacesize	= IPT_ALIGN(0),
+	.help		= &help,
+	.parse		= &parse,
+	.final_check	= &final_check,
+	.print		= &print,
+	.save		= &save,
+	.extra_opts	= opts
+};
+
+void _init(void)
+{
+	register_target(&tarpit);
+}
diff -N -u -r iptables-1.3.8-20070817/extensions/libipt_TARPIT.man iptables-1.3.8-20070817-nf/extensions/libipt_TARPIT.man
--- iptables-1.3.8-20070817/extensions/libipt_TARPIT.man	1969-12-31 19:00:00.000000000 -0500
+++ iptables-1.3.8-20070817-nf/extensions/libipt_TARPIT.man	2007-08-18 14:49:25.000000000 -0400
@@ -0,0 +1,34 @@
+Captures and holds incoming TCP connections using no local
+per-connection resources. Connections are accepted, but immediately
+switched to the persist state (0 byte window), in which the remote
+side stops sending data and asks to continue every 60-240 seconds.
+Attempts to close the connection are ignored, forcing the remote side
+to time out the connection in 12-24 minutes.
+
+This offers similar functionality to LaBrea
+<http://www.hackbusters.net/LaBrea/> but doesn't require dedicated
+hardware or IPs. Any TCP port that you would normally DROP or REJECT
+can instead become a tarpit.
+
+To tarpit connections to TCP port 80 destined for the current machine:
+.IP
+iptables -A INPUT -p tcp -m tcp --dport 80 -j TARPIT
+.P
+To significantly slow down Code Red/Nimda-style scans of unused address
+space, forward unused ip addresses to a Linux box not acting as a router
+(e.g. "ip route 10.0.0.0 255.0.0.0 ip.of.linux.box" on a Cisco), enable IP
+forwarding on the Linux box, and add:
+.IP
+iptables -A FORWARD -p tcp -j TARPIT
+.IP
+iptables -A FORWARD -j DROP
+.TP
+NOTE:
+If you use the conntrack module while you are using TARPIT, you should
+also use the NOTRACK target, or the kernel will unnecessarily allocate
+resources for each TARPITted connection. To TARPIT incoming
+connections to the standard IRC port while using conntrack, you could:
+.IP
+iptables -t raw -A PREROUTING -p tcp --dport 6667 -j NOTRACK
+.IP
+iptables -A INPUT -p tcp --dport 6667 -j TARPIT
diff -N -u -r iptables-1.3.8-20070817/extensions/.TARPIT-test iptables-1.3.8-20070817-nf/extensions/.TARPIT-test
--- iptables-1.3.8-20070817/extensions/.TARPIT-test	1969-12-31 19:00:00.000000000 -0500
+++ iptables-1.3.8-20070817-nf/extensions/.TARPIT-test	2007-08-18 14:49:25.000000000 -0400
@@ -0,0 +1,2 @@
+#! /bin/sh
+[ -f $KERNEL_DIR/net/netfilter/xt_TARPIT.c ] && echo TARPIT