On Wed, Aug 01, 2007 at 10:53:07PM -0300, Juan Carlos Castro y Castro wrote: > (Please CC me as I'm not on the list) > > Is it possible to use the TARPIT module without auto-loading conntrack > modules and still leaving the machine able to make outbound connections? I > tried the following and it didn't work. Using -m state --state ESTABLISHED > loads the conntrack modules and therefore leaves the machine open to > resource waste by connections that get tarpitted. Is there a solution? Or > will I have to separate a machine for the purpose, and leave it unable to > make outbound TCP connections? > > -A INPUT -s 127.0.0.0/8 -j ACCEPT > -A INPUT -s (some source) -p tcp -m tcp --dport (some port) -j ACCEPT > -A INPUT -s (other source) -p tcp -m tcp --dport (other port) -j ACCEPT > -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j TARPIT > -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK ACK -j TARPIT > According to the iptables man page, you have to use the NOTRACK target to avoid that. [quote] If you use the conntrack module while you are using TARPIT, you should also use the NOTRACK target, or the kernel will unnecessarily allocate resources for each TARPITted connection. To TARPIT incoming connections to the standard IRC port while using conntrack, you could: iptables -t raw -A PREROUTING -p tcp --dport 6667 -j NOTRACK iptables -A INPUT -p tcp --dport 6667 -j TARPIT [/quote] Does it help ? -- Franck Joncourt http://www.debian.org - http://smhteam.info/wiki/ GPG server : pgpkeys.mit.edu Fingerprint : C10E D1D0 EF70 0A2A CACF 9A3C C490 534E 75C0 89FE
Attachment:
signature.asc
Description: Digital signature
