Hi guys,
I had a usage question about tarpit in respects to connection tracking. We have a firewall that has a fairly heavy usage so we have put a separate box external of the firewall to do tarpitting of port scanners. Anyways, we are still being hit pretty hard by many things on this firewall. I was thinking about configuration tarpit on the firewall cluster but wanted to ensure that connection tracking wasn't a problem.
Is it as simple as just sending the connection to the NOTRACK chain before sending it to tarpit?
iptaables -t raw -A INPUT -p tcp -m tcp --dport 80 -j NOTRACK iptables -A INPUT -p tcp -m tcp --dport 80 -j TARPIT
Is there a better approach to this? Will this even work? The rules above are more or less just a sample. I would want to block almost all traffic destined for the input chain on the firewall on the external interface unless it is related traffic.
If you were worried about just one port, as in your example, I would do what you have done. However if you are planing on TARPITing a lot of ports (the majority of them) I would be tempted to do something like the following:
iptables -t raw -A INPUT -p tcp --dport 22 -j ACCEPT iptables -t raw -A INPUT -p tcp --dport 443 -j ACCEPT iptables -t raw -A INPUT -p tcp -j NOTRACK iptables -t filter -A INPUT -p tcp --dport 22 -j ACCEPT iptables -t filter -A INPUT -p tcp --dport 443 -j ACCEPT iptables -t filter -A INPUT -p tcp -j TARPIT
This should cause any traffic that is not destined to known good ports to be not tracked and thus safe to send to the TARPIT.
Grant. . . .
