mirror of
git://git.code.sf.net/p/xtables-addons/xtables-addons
synced 2025-09-07 13:15:12 +02:00
7a981b17b5
Populate the iptables-addons repository with two modules, xt_TARPIT and xt_TEE, as a starting point. Signed-off-by: Jan Engelhardt <jengelh@computergmbh.de>
34 lines
1.4 KiB
Groff
34 lines
1.4 KiB
Groff
+Captures and holds incoming TCP connections using no local per-connection
|
|
+resources. Connections are accepted, but immediately switched to the persist
|
|
+state (0 byte window), in which the remote side stops sending data and asks to
|
|
+continue every 60-240 seconds. Attempts to close the connection are ignored,
|
|
+forcing the remote side to time out the connection in 12-24 minutes.
|
|
+
|
|
+This offers similar functionality to LaBrea
|
|
+<http://www.hackbusters.net/LaBrea/> but does not require dedicated hardware or
|
|
+IPs. Any TCP port that you would normally DROP or REJECT can instead become a
|
|
+tarpit.
|
|
+
|
|
+To tarpit connections to TCP port 80 destined for the current machine:
|
|
+.IP
|
|
+-A INPUT -p tcp -m tcp --dport 80 -j TARPIT
|
|
+.P
|
|
+To significantly slow down Code Red/Nimda-style scans of unused address space,
|
|
+forward unused ip addresses to a Linux box not acting as a router (e.g. "ip
|
|
+route 10.0.0.0 255.0.0.0 ip.of.linux.box" on a Cisco), enable IP forwarding on
|
|
+the Linux box, and add:
|
|
+.IP
|
|
+-A FORWARD -p tcp -j TARPIT
|
|
+.IP
|
|
+-A FORWARD -j DROP
|
|
+.TP
|
|
+NOTE:
|
|
+If you use the conntrack module while you are using TARPIT, you should also use
|
|
+the NOTRACK target, or the kernel will unnecessarily allocate resources for
|
|
+each TARPITted connection. To TARPIT incoming connections to the standard IRC
|
|
+port while using conntrack, you could:
|
|
+.IP
|
|
+-t raw -A PREROUTING -p tcp --dport 6667 -j NOTRACK
|
|
+.IP
|
|
+-A INPUT -p tcp --dport 6667 -j TARPIT
|