net-firewall/iptables/files/iptables-1.4.0-tarpit.diff


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115

diff -urN iptables-1.4.0/extensions/.TARPIT-test iptables-1.4.0-tarpit/extensions/.TARPIT-test
--- iptables-1.4.0/extensions/.TARPIT-test	1969-12-31 19:00:00.000000000 -0500
+++ iptables-1.4.0-tarpit/extensions/.TARPIT-test	2008-04-10 13:29:45.001461481 -0400
@@ -0,0 +1,2 @@
+#! /bin/sh
+[ -f $KERNEL_DIR/net/netfilter/xt_TARPIT.c ] && echo TARPIT
diff -uNr -r iptables-1.4.0/extensions/Makefile iptables-1.4.0-tarpit/extensions/Makefile
--- iptables-1.4.0/extensions/Makefile	2007-03-22 01:04:36.000000000 +0100
+++ iptables-1.4.0-tarpit/extensions/Makefile	2008-10-19 17:19:02.000000000 +0200
@@ -6,6 +6,7 @@
 # package (HW)
 #
 PF_EXT_SLIB:=ah addrtype conntrack ecn icmp iprange owner policy realm recent tos ttl unclean CLUSTERIP DNAT ECN LOG MASQUERADE MIRROR NETMAP REDIRECT REJECT SAME SNAT TOS TTL ULOG
+PF_EXT_SLIB+=TARPIT
 PF6_EXT_SLIB:=ah dst eui64 frag hbh hl icmp6 ipv6header mh owner policy rt HL LOG REJECT
 PFX_EXT_SLIB:=connbytes connmark connlimit comment dccp dscp esp hashlimit helper length limit mac mark multiport physdev pkttype quota sctp state statistic standard string tcp tcpmss time u32 udp CLASSIFY CONNMARK DSCP MARK NFLOG NFQUEUE NOTRACK TCPMSS TRACE
 
diff -urN iptables-1.4.0/extensions/libipt_TARPIT.c iptables-1.4.0-tarpit/extensions/libipt_TARPIT.c
--- iptables-1.4.0/extensions/libipt_TARPIT.c	1969-12-31 19:00:00.000000000 -0500
+++ iptables-1.4.0-tarpit/extensions/libipt_TARPIT.c	2008-04-10 13:58:17.321461025 -0400
@@ -0,0 +1,56 @@
+/* Shared library add-on to iptables for TARPIT support */
+#include <stdio.h>
+#include <getopt.h>
+#include <iptables.h>
+
+static void
+TARPIT_help(void)
+{
+  fputs(
+	"TARPIT takes no options\n"
+	"\n", stdout);
+}
+
+static struct option TARPIT_opts[] = {
+  { 0 }
+};
+
+static int
+TARPIT_parse(int c, char **argv, int invert, unsigned int *flags,
+	     const void *entry,
+	     struct xt_entry_target **target)
+{
+  return 0;
+}
+
+static void TARPIT_final_check(unsigned int flags)
+{
+}
+
+static void
+TARPIT_print(const void *ip, const struct xt_entry_target *target,
+	     int numeric)
+{
+}
+
+static void TARPIT_save(const void *ip, const struct xt_entry_target *target)
+{
+}
+
+static struct iptables_target tarpit_target = {
+  .name			= "TARPIT",
+  .version		= IPTABLES_VERSION,
+  .size			= IPT_ALIGN(0),
+  .userspacesize	= IPT_ALIGN(0),
+  .help			= TARPIT_help,
+  .parse		= TARPIT_parse,
+  .final_check		= TARPIT_final_check,
+  .print		= TARPIT_print,
+  .save			= TARPIT_save,
+  .extra_opts		= TARPIT_opts
+};
+
+void _init(void)
+{
+  register_target(&tarpit_target);
+}
diff -urN iptables-1.4.0/extensions/libipt_TARPIT.man iptables-1.4.0-tarpit/extensions/libipt_TARPIT.man
--- iptables-1.4.0/extensions/libipt_TARPIT.man	1969-12-31 19:00:00.000000000 -0500
+++ iptables-1.4.0-tarpit/extensions/libipt_TARPIT.man	2008-04-10 13:29:45.000460310 -0400
@@ -0,0 +1,34 @@
+Captures and holds incoming TCP connections using no local
+per-connection resources. Connections are accepted, but immediately
+switched to the persist state (0 byte window), in which the remote
+side stops sending data and asks to continue every 60-240 seconds.
+Attempts to close the connection are ignored, forcing the remote side
+to time out the connection in 12-24 minutes.
+
+This offers similar functionality to LaBrea
+<http://www.hackbusters.net/LaBrea/> but doesn't require dedicated
+hardware or IPs. Any TCP port that you would normally DROP or REJECT
+can instead become a tarpit.
+
+To tarpit connections to TCP port 80 destined for the current machine:
+.IP
+iptables -A INPUT -p tcp -m tcp --dport 80 -j TARPIT
+.P
+To significantly slow down Code Red/Nimda-style scans of unused address
+space, forward unused ip addresses to a Linux box not acting as a router
+(e.g. "ip route 10.0.0.0 255.0.0.0 ip.of.linux.box" on a Cisco), enable IP
+forwarding on the Linux box, and add:
+.IP
+iptables -A FORWARD -p tcp -j TARPIT
+.IP
+iptables -A FORWARD -j DROP
+.TP
+NOTE:
+If you use the conntrack module while you are using TARPIT, you should
+also use the NOTRACK target, or the kernel will unnecessarily allocate
+resources for each TARPITted connection. To TARPIT incoming
+connections to the standard IRC port while using conntrack, you could:
+.IP
+iptables -t raw -A PREROUTING -p tcp --dport 6667 -j NOTRACK
+.IP
+iptables -A INPUT -p tcp --dport 6667 -j TARPIT