Re: How to tarpit without loading conntrack modules?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Wed, Aug 01, 2007 at 10:53:07PM -0300, Juan Carlos Castro y Castro wrote:
> (Please CC me as I'm not on the list)
>
> Is it possible to use the TARPIT module without auto-loading conntrack 
> modules and still leaving the machine able to make outbound connections? I 
> tried the following and it didn't work. Using -m state --state ESTABLISHED 
> loads the conntrack modules and therefore leaves the machine open to 
> resource waste by connections that get tarpitted. Is there a solution? Or 
> will I have to separate a machine for the purpose, and leave it unable to 
> make outbound TCP connections?
>
> -A INPUT -s 127.0.0.0/8 -j ACCEPT
> -A INPUT -s (some source) -p tcp -m tcp --dport (some port) -j ACCEPT
> -A INPUT -s (other source) -p tcp -m tcp --dport (other port) -j ACCEPT
> -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j TARPIT
> -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK ACK -j TARPIT
>

According to the iptables man page, you have to use the NOTRACK target
to avoid that.

[quote]
If you use the conntrack module while you are using TARPIT, you should
also use the NOTRACK target,  or the kernel will unnecessarily allocate
resources for each TARPITted connection. To TARPIT incoming connections 
to the standard IRC port while using conntrack, you could:

iptables -t raw -A PREROUTING -p tcp --dport 6667 -j NOTRACK

iptables -A INPUT -p tcp --dport 6667 -j TARPIT
[/quote]

Does it help ?

-- 
Franck Joncourt
http://www.debian.org - http://smhteam.info/wiki/
GPG server : pgpkeys.mit.edu
Fingerprint : C10E D1D0 EF70 0A2A CACF 9A3C C490 534E 75C0 89FE

Attachment: signature.asc
Description: Digital signature


[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux