Re: Tarpit usage question

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Ex.  The firewall external IP is 22.33.44.1 and I also assign 2-6 to the
firewall and NAT them in locally to 10.0.0.2-6 accordingly.  With this
said, if I setup the rules below on the raw table I'm assuming that it
will only be caught on the 22.33.44.1 IP.  Is this assumption wrong or
should I also qualify the addresses that I care about on the raw table.

iptables -t raw -A INPUT -d 22.33.44.55 -p tcp --dport 22 -j ACCEPT
iptables -t raw -A INPUT -d 22.33.44.55 -p tcp --dport 443 -j ACCEPT
iptables -t raw -A INPUT -d 22.33.44.55 -p tcp -j NOTRACK
iptables -t filter -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -t filter -A INPUT -p tcp --dport 443 -j ACCEPT
iptables -t filter -A INPUT -p tcp -j TARPIT


Well the idea that I was after was that you explicitly handle anything except what you know to (likely) be valid traffic in such a way that it will not be connection tracked and ultimately TARPITed.  Thus if you have multiple valid source IP / port combinations you would want to do a series of ACCEPT targets.

iptables -t raw -A INPUT -d 22.33.44.55 -p tcp --dport 22 -j ACCEPT
iptables -t raw -A INPUT -d 22.33.44.55 -p tcp --dport 443 -j ACCEPT
iptables -t raw -A INPUT -d 22.33.44.55 -p tcp -j NOTRACK
iptables -t raw -A INPUT -d 22.33.44.1 -p tcp --dport 22 -j ACCEPT
iptables -t raw -A INPUT -d 22.33.44.1 -p tcp --dport 443 -j ACCEPT
iptables -t raw -A INPUT -d 22.33.44.1 -p tcp -j NOTRACK
iptables -t raw -A INPUT -d 22.33.44.2 -p tcp --dport 22 -j ACCEPT
iptables -t raw -A INPUT -d 22.33.44.2 -p tcp --dport 443 -j ACCEPT
iptables -t raw -A INPUT -d 22.33.44.2 -p tcp -j NOTRACK
...
iptables -t filter -A INPUT -d 22.33.44.55 -p tcp --dport 22 -j ACCEPT
iptables -t filter -A INPUT -d 22.33.44.55 -p tcp --dport 443 -j ACCEPT
iptables -t filter -A INPUT -d 22.33.44.55 -p tcp -j TARPIT
iptables -t filter -A INPUT -d 22.33.44.1 -p tcp --dport 22 -j ACCEPT
iptables -t filter -A INPUT -d 22.33.44.1 -p tcp --dport 443 -j ACCEPT
iptables -t filter -A INPUT -d 22.33.44.1 -p tcp -j TARPIT
iptables -t filter -A INPUT -d 22.33.44.2 -p tcp --dport 22 -j ACCEPT
iptables -t filter -A INPUT -d 22.33.44.2 -p tcp --dport 443 -j ACCEPT
iptables -t filter -A INPUT -d 22.33.44.2 -p tcp -j TARPIT

Something else that you might want to look in to would be using the set match extension.  The set match extension would be a good match for what you are doing as you can build a ""set of IP addresses, and / or ports, and or <bla> that can be bound together in such a way that you could match all the valid traffic in one rule vs multiple rules.  If you want help looking in to this let me know and I'll be glad to help.



Grant. . . .

[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux