Re: ddos / no connection tracking / tarpitting

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

You *must* use the rule

iptables -t raw -A PREROUTING -s 1.2.3.4 -p tcp --sport 5678 -j NOTRACK

as well, otherwise conntrack will pick up the reply packets from the
TARPIT target.


Very good point.

[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux