> for tarpitports in 21 23 25 42 79 81 110 137 138 139 > 445 901; do > $path_iptables -t raw -A PREROUTING -i $ext_if -d $ext_ip > -p tcp --dport $tarpitports -j NOTRACK > $path_iptables -t raw -A PREROUTING -s $ext_ip -p tcp > --sport $tarpitports -j NOTRACK > > $path_iptables -A INPUT -s 0.0.0.0/0 -d $ext_ip -i $ext_if > -p tcp -m tcp --dport $tarpitports -j TARPIT > $path_iptables -A INPUT -s 0.0.0.0/0 -d $ext_ip -i $ext_if > -p tcp -m tcp --dport $tarpitports -j LOG-INPUT # just in case done > > Untracking the ports makes the situation safe for conntrack. > > Now I also want to use the tarpit feature for ports > 1023. > Who can help me here? Maybe you can do something with the mport patch : http://www.netfilter.org/patch-o-matic/pom-base.html#pom-base-mport Ofcourse, you need to patch the kernel for that to work. Gr, Rob
