package/iptables/patches/1.4.0/007-tarpit_support.patch

   1 Index: iptables-1.4.0/extensions/libxt_TARPIT.c
   2 ===================================================================
   3 --- /dev/null
   4 +++ iptables-1.4.0/extensions/libxt_TARPIT.c
   5 @@ -0,0 +1,55 @@
   6 +/* Shared library add-on to iptables to add TARPIT target support */
   7 +#include <stdio.h>
   8 +#include <getopt.h>
   9 +
  10 +#include <xtables.h>
  11 +#include <linux/netfilter/x_tables.h>
  12 +
  13 +static void TARPIT_help(void)
  14 +{
  15 +       fputs(
  16 +"TARPIT takes no options\n"
  17 +"\n", stdout);
  18 +}
  19 +
  20 +static struct option TARPIT_opts[] = {
  21 +       { 0 }
  22 +};
  23 +
  24 +static int TARPIT_parse(int c, char **argv, int invert, unsigned int *flags,
  25 +                       const void *entry, struct xt_entry_target **target)
  26 +{
  27 +       return 0;
  28 +}
  29 +
  30 +static void TARPIT_final_check(unsigned int flags)
  31 +{
  32 +}
  33 +
  34 +static void TARPIT_print(const void *ip, const struct xt_entry_target *target,
  35 +                       int numeric)
  36 +{
  37 +}
  38 +
  39 +static void TARPIT_save(const void *ip, const struct xt_entry_target *target)
  40 +{
  41 +}
  42 +
  43 +static struct xtables_target tarpit_target = {
  44 +       .family         = AF_INET,
  45 +       .name           = "TARPIT",
  46 +       .version        = IPTABLES_VERSION,
  47 +       .size           = XT_ALIGN(0),
  48 +       .userspacesize  = XT_ALIGN(0),
  49 +       .help           = TARPIT_help,
  50 +       .parse          = TARPIT_parse,
  51 +       .final_check    = TARPIT_final_check,
  52 +       .print          = TARPIT_print,
  53 +       .save           = TARPIT_save,
  54 +       .extra_opts     = TARPIT_opts
  55 +};
  56 +
  57 +void _init(void)
  58 +{
  59 +       xtables_register_target(&tarpit_target);
  60 +}
  61 Index: iptables-1.4.0/extensions/libxt_TARPIT.man
  62 ===================================================================
  63 --- /dev/null
  64 +++ iptables-1.4.0/extensions/libxt_TARPIT.man
  65 @@ -0,0 +1,34 @@
  66 +Captures and holds incoming TCP connections using no local
  67 +per-connection resources. Connections are accepted, but immediately
  68 +switched to the persist state (0 byte window), in which the remote
  69 +side stops sending data and asks to continue every 60-240 seconds.
  70 +Attempts to close the connection are ignored, forcing the remote side
  71 +to time out the connection in 12-24 minutes.
  72 +
  73 +This offers similar functionality to LaBrea
  74 +<http://www.hackbusters.net/LaBrea/> but doesn't require dedicated
  75 +hardware or IPs. Any TCP port that you would normally DROP or REJECT
  76 +can instead become a tarpit.
  77 +
  78 +To tarpit connections to TCP port 80 destined for the current machine:
  79 +.IP
  80 +iptables -A INPUT -p tcp -m tcp --dport 80 -j TARPIT
  81 +.P
  82 +To significantly slow down Code Red/Nimda-style scans of unused address
  83 +space, forward unused ip addresses to a Linux box not acting as a router
  84 +(e.g. "ip route 10.0.0.0 255.0.0.0 ip.of.linux.box" on a Cisco), enable IP
  85 +forwarding on the Linux box, and add:
  86 +.IP
  87 +iptables -A FORWARD -p tcp -j TARPIT
  88 +.IP
  89 +iptables -A FORWARD -j DROP
  90 +.TP
  91 +NOTE:
  92 +If you use the conntrack module while you are using TARPIT, you should
  93 +also use the NOTRACK target, or the kernel will unnecessarily allocate
  94 +resources for each TARPITted connection. To TARPIT incoming
  95 +connections to the standard IRC port while using conntrack, you could:
  96 +.IP
  97 +iptables -t raw -A PREROUTING -p tcp --dport 6667 -j NOTRACK
  98 +.IP
  99 +iptables -A INPUT -p tcp --dport 6667 -j TARPIT
 100 Index: iptables-1.4.0/extensions/.TARPIT-testx
 101 ===================================================================
 102 --- /dev/null
 103 +++ iptables-1.4.0/extensions/.TARPIT-testx
 104 @@ -0,0 +1,2 @@
 105 +#! /bin/sh
 106 +[ -f "$KERNEL_DIR/net/netfilter/xt_TARPIT.c" ] && echo "TARPIT"