* How to tarpit without loading conntrack modules?
@ 2007-08-02 1:53 Juan Carlos Castro y Castro
2007-08-06 13:01 ` Franck Joncourt
0 siblings, 1 reply; 2+ messages in thread
From: Juan Carlos Castro y Castro @ 2007-08-02 1:53 UTC (permalink / raw)
To: netfilter
(Please CC me as I'm not on the list)
Is it possible to use the TARPIT module without auto-loading conntrack
modules and still leaving the machine able to make outbound connections?
I tried the following and it didn't work. Using -m state --state
ESTABLISHED loads the conntrack modules and therefore leaves the machine
open to resource waste by connections that get tarpitted. Is there a
solution? Or will I have to separate a machine for the purpose, and
leave it unable to make outbound TCP connections?
-A INPUT -s 127.0.0.0/8 -j ACCEPT
-A INPUT -s (some source) -p tcp -m tcp --dport (some port) -j ACCEPT
-A INPUT -s (other source) -p tcp -m tcp --dport (other port) -j ACCEPT
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j TARPIT
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK ACK -j TARPIT
^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: How to tarpit without loading conntrack modules?
2007-08-02 1:53 How to tarpit without loading conntrack modules? Juan Carlos Castro y Castro
@ 2007-08-06 13:01 ` Franck Joncourt
0 siblings, 0 replies; 2+ messages in thread
From: Franck Joncourt @ 2007-08-06 13:01 UTC (permalink / raw)
To: netfilter
[-- Attachment #1: Type: text/plain, Size: 1638 bytes --]
On Wed, Aug 01, 2007 at 10:53:07PM -0300, Juan Carlos Castro y Castro wrote:
> (Please CC me as I'm not on the list)
>
> Is it possible to use the TARPIT module without auto-loading conntrack
> modules and still leaving the machine able to make outbound connections? I
> tried the following and it didn't work. Using -m state --state ESTABLISHED
> loads the conntrack modules and therefore leaves the machine open to
> resource waste by connections that get tarpitted. Is there a solution? Or
> will I have to separate a machine for the purpose, and leave it unable to
> make outbound TCP connections?
>
> -A INPUT -s 127.0.0.0/8 -j ACCEPT
> -A INPUT -s (some source) -p tcp -m tcp --dport (some port) -j ACCEPT
> -A INPUT -s (other source) -p tcp -m tcp --dport (other port) -j ACCEPT
> -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j TARPIT
> -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK ACK -j TARPIT
>
According to the iptables man page, you have to use the NOTRACK target
to avoid that.
[quote]
If you use the conntrack module while you are using TARPIT, you should
also use the NOTRACK target, or the kernel will unnecessarily allocate
resources for each TARPITted connection. To TARPIT incoming connections
to the standard IRC port while using conntrack, you could:
iptables -t raw -A PREROUTING -p tcp --dport 6667 -j NOTRACK
iptables -A INPUT -p tcp --dport 6667 -j TARPIT
[/quote]
Does it help ?
--
Franck Joncourt
http://www.debian.org - http://smhteam.info/wiki/
GPG server : pgpkeys.mit.edu
Fingerprint : C10E D1D0 EF70 0A2A CACF 9A3C C490 534E 75C0 89FE
[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 189 bytes --]
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2007-08-06 13:01 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2007-08-02 1:53 How to tarpit without loading conntrack modules? Juan Carlos Castro y Castro
2007-08-06 13:01 ` Franck Joncourt
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox