From: "Taylor, Grant" <gtaylor@riverviewtech.net>
To: netfilter@lists.netfilter.org
Subject: Re: Tarpit usage question
Date: Fri, 13 May 2005 10:12:31 -0500 [thread overview]
Message-ID: <4284C3DF.3060102@riverviewtech.net> (raw)
In-Reply-To: <57F9959B46E0FA4D8BA88AEDFBE58290738C@pxtbenexd01.pxt.primeexalia.com>
> Ex. The firewall external IP is 22.33.44.1 and I also assign 2-6 to the
> firewall and NAT them in locally to 10.0.0.2-6 accordingly. With this
> said, if I setup the rules below on the raw table I'm assuming that it
> will only be caught on the 22.33.44.1 IP. Is this assumption wrong or
> should I also qualify the addresses that I care about on the raw table.
>
> iptables -t raw -A INPUT -d 22.33.44.55 -p tcp --dport 22 -j ACCEPT
> iptables -t raw -A INPUT -d 22.33.44.55 -p tcp --dport 443 -j ACCEPT
> iptables -t raw -A INPUT -d 22.33.44.55 -p tcp -j NOTRACK
> iptables -t filter -A INPUT -p tcp --dport 22 -j ACCEPT
> iptables -t filter -A INPUT -p tcp --dport 443 -j ACCEPT
> iptables -t filter -A INPUT -p tcp -j TARPIT
Well the idea that I was after was that you explicitly handle anything except what you know to (likely) be valid traffic in such a way that it will not be connection tracked and ultimately TARPITed. Thus if you have multiple valid source IP / port combinations you would want to do a series of ACCEPT targets.
iptables -t raw -A INPUT -d 22.33.44.55 -p tcp --dport 22 -j ACCEPT
iptables -t raw -A INPUT -d 22.33.44.55 -p tcp --dport 443 -j ACCEPT
iptables -t raw -A INPUT -d 22.33.44.55 -p tcp -j NOTRACK
iptables -t raw -A INPUT -d 22.33.44.1 -p tcp --dport 22 -j ACCEPT
iptables -t raw -A INPUT -d 22.33.44.1 -p tcp --dport 443 -j ACCEPT
iptables -t raw -A INPUT -d 22.33.44.1 -p tcp -j NOTRACK
iptables -t raw -A INPUT -d 22.33.44.2 -p tcp --dport 22 -j ACCEPT
iptables -t raw -A INPUT -d 22.33.44.2 -p tcp --dport 443 -j ACCEPT
iptables -t raw -A INPUT -d 22.33.44.2 -p tcp -j NOTRACK
...
iptables -t filter -A INPUT -d 22.33.44.55 -p tcp --dport 22 -j ACCEPT
iptables -t filter -A INPUT -d 22.33.44.55 -p tcp --dport 443 -j ACCEPT
iptables -t filter -A INPUT -d 22.33.44.55 -p tcp -j TARPIT
iptables -t filter -A INPUT -d 22.33.44.1 -p tcp --dport 22 -j ACCEPT
iptables -t filter -A INPUT -d 22.33.44.1 -p tcp --dport 443 -j ACCEPT
iptables -t filter -A INPUT -d 22.33.44.1 -p tcp -j TARPIT
iptables -t filter -A INPUT -d 22.33.44.2 -p tcp --dport 22 -j ACCEPT
iptables -t filter -A INPUT -d 22.33.44.2 -p tcp --dport 443 -j ACCEPT
iptables -t filter -A INPUT -d 22.33.44.2 -p tcp -j TARPIT
Something else that you might want to look in to would be using the set match extension. The set match extension would be a good match for what you are doing as you can build a ""set of IP addresses, and / or ports, and or <bla> that can be bound together in such a way that you could match all the valid traffic in one rule vs multiple rules. If you want help looking in to this let me know and I'll be glad to help.
Grant. . . .
next prev parent reply other threads:[~2005-05-13 15:12 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2005-05-13 7:01 Tarpit usage question Gary W. Smith
2005-05-13 15:12 ` Taylor, Grant [this message]
-- strict thread matches above, loose matches on Subject: below --
2005-05-13 15:16 Gary W. Smith
2005-05-12 6:57 Gary W. Smith
2005-05-12 23:37 ` Taylor, Grant
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4284C3DF.3060102@riverviewtech.net \
--to=gtaylor@riverviewtech.net \
--cc=netfilter@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox