Re: Tarpit usage question

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi guys,

I had a usage question about tarpit in respects to connection tracking.
We have a firewall that has a fairly heavy usage so we have put a
separate box external of the firewall to do tarpitting of port scanners.
Anyways, we are still being hit pretty hard by many things on this
firewall.  I was thinking about configuration tarpit on the firewall
cluster but wanted to ensure that connection tracking wasn't a problem.

Is it as simple as just sending the connection to the NOTRACK chain
before sending it to tarpit?

iptaables -t raw -A INPUT -p tcp -m tcp --dport 80 -j NOTRACK
iptables -A INPUT -p tcp -m tcp --dport 80 -j TARPIT

Is there a better approach to this?  Will this even work?  The rules
above are more or less just a sample.  I would want to block almost all
traffic destined for the input chain on the firewall on the external
interface unless it is related traffic.

If you were worried about just one port, as in your example, I would do what you have done. However if you are planing on TARPITing a lot of ports (the majority of them) I would be tempted to do something like the following:

iptables -t raw -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -t raw -A INPUT -p tcp --dport 443 -j ACCEPT
iptables -t raw -A INPUT -p tcp -j NOTRACK
iptables -t filter -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -t filter -A INPUT -p tcp --dport 443 -j ACCEPT
iptables -t filter -A INPUT -p tcp -j TARPIT

This should cause any traffic that is not destined to known good ports to be not tracked and thus safe to send to the TARPIT.



Grant. . . .


[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux