Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. iptables>
  3. User
How to tarpit without loading conntrack modules?
jcastro at instant
Aug 1, 2007, 6:53 PM
Post #1 of 2 (2373 views)
Permalink
(Please CC me as I'm not on the list)

Is it possible to use the TARPIT module without auto-loading conntrack
modules and still leaving the machine able to make outbound connections?
I tried the following and it didn't work. Using -m state --state
ESTABLISHED loads the conntrack modules and therefore leaves the machine
open to resource waste by connections that get tarpitted. Is there a
solution? Or will I have to separate a machine for the purpose, and
leave it unable to make outbound TCP connections?

-A INPUT -s 127.0.0.0/8 -j ACCEPT
-A INPUT -s (some source) -p tcp -m tcp --dport (some port) -j ACCEPT
-A INPUT -s (other source) -p tcp -m tcp --dport (other port) -j ACCEPT
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j TARPIT
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK ACK -j TARPIT
Re: How to tarpit without loading conntrack modules? [ In reply to ]
franck.joncourt at wanadoo
Aug 6, 2007, 6:01 AM
Post #2 of 2 (2252 views)
Permalink
On Wed, Aug 01, 2007 at 10:53:07PM -0300, Juan Carlos Castro y Castro wrote:
> (Please CC me as I'm not on the list)
>
> Is it possible to use the TARPIT module without auto-loading conntrack
> modules and still leaving the machine able to make outbound connections? I
> tried the following and it didn't work. Using -m state --state ESTABLISHED
> loads the conntrack modules and therefore leaves the machine open to
> resource waste by connections that get tarpitted. Is there a solution? Or
> will I have to separate a machine for the purpose, and leave it unable to
> make outbound TCP connections?
>
> -A INPUT -s 127.0.0.0/8 -j ACCEPT
> -A INPUT -s (some source) -p tcp -m tcp --dport (some port) -j ACCEPT
> -A INPUT -s (other source) -p tcp -m tcp --dport (other port) -j ACCEPT
> -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j TARPIT
> -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK ACK -j TARPIT
>

According to the iptables man page, you have to use the NOTRACK target
to avoid that.

[quote]
If you use the conntrack module while you are using TARPIT, you should
also use the NOTRACK target, or the kernel will unnecessarily allocate
resources for each TARPITted connection. To TARPIT incoming connections
to the standard IRC port while using conntrack, you could:

iptables -t raw -A PREROUTING -p tcp --dport 6667 -j NOTRACK

iptables -A INPUT -p tcp --dport 6667 -j TARPIT
[/quote]

Does it help ?

--
Franck Joncourt
http://www.debian.org - http://smhteam.info/wiki/
GPG server : pgpkeys.mit.edu
Fingerprint : C10E D1D0 EF70 0A2A CACF 9A3C C490 534E 75C0 89FE

Attached Files:

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal