From: "Taylor, Grant" <gtaylor@riverviewtech.net>
To: netfilter@lists.netfilter.org
Subject: Re: Tarpit usage question
Date: Thu, 12 May 2005 18:37:00 -0500 [thread overview]
Message-ID: <4283E89C.5050709@riverviewtech.net> (raw)
In-Reply-To: <57F9959B46E0FA4D8BA88AEDFBE582907389@pxtbenexd01.pxt.primeexalia.com>
> Hi guys,
>
> I had a usage question about tarpit in respects to connection tracking.
> We have a firewall that has a fairly heavy usage so we have put a
> separate box external of the firewall to do tarpitting of port scanners.
> Anyways, we are still being hit pretty hard by many things on this
> firewall. I was thinking about configuration tarpit on the firewall
> cluster but wanted to ensure that connection tracking wasn't a problem.
>
> Is it as simple as just sending the connection to the NOTRACK chain
> before sending it to tarpit?
>
> iptaables -t raw -A INPUT -p tcp -m tcp --dport 80 -j NOTRACK
> iptables -A INPUT -p tcp -m tcp --dport 80 -j TARPIT
>
> Is there a better approach to this? Will this even work? The rules
> above are more or less just a sample. I would want to block almost all
> traffic destined for the input chain on the firewall on the external
> interface unless it is related traffic.
If you were worried about just one port, as in your example, I would do what you have done. However if you are planing on TARPITing a lot of ports (the majority of them) I would be tempted to do something like the following:
iptables -t raw -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -t raw -A INPUT -p tcp --dport 443 -j ACCEPT
iptables -t raw -A INPUT -p tcp -j NOTRACK
iptables -t filter -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -t filter -A INPUT -p tcp --dport 443 -j ACCEPT
iptables -t filter -A INPUT -p tcp -j TARPIT
This should cause any traffic that is not destined to known good ports to be not tracked and thus safe to send to the TARPIT.
Grant. . . .
next prev parent reply other threads:[~2005-05-12 23:37 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2005-05-12 6:57 Tarpit usage question Gary W. Smith
2005-05-12 23:37 ` Taylor, Grant [this message]
-- strict thread matches above, loose matches on Subject: below --
2005-05-13 7:01 Gary W. Smith
2005-05-13 15:12 ` Taylor, Grant
2005-05-13 15:16 Gary W. Smith
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4283E89C.5050709@riverviewtech.net \
--to=gtaylor@riverviewtech.net \
--cc=netfilter@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.