Discussion:
[gentoo-user] TARPIT iptables target
(too old to reply)
Dave Jones
2006-02-22 23:20:11 UTC
Permalink
Hi,

I was reading about the TARPIT target in the man iptables documentation,
and thought I'd like to give it a try. Unfortunately though, it seems
not to be supported in the 2.6.15-1 Gentoo kernel.

Has anyone used the TARPIT target, or know of a way to get it into the
current kernel? Any experience with this target or 'gotchas' about it?

Cheers, Dave
--
gentoo-***@gentoo.org mailing list
Dave Jones
2006-02-23 22:00:37 UTC
Permalink
Hi Andrew,

Thank you for the tip about TARPIT, the problem is now solved.

To complete the fix I downloaded patch-o-matic-ng and the iptables
source from netfilter.org:

cd /usr/src
svn co https://svn.netfilter.org/netfilter/trunk/patch-o-matic-ng
svn co https://svn.netfilter.org/netfilter/trunk/iptables

The documentation on using cvs on netfilter.org is outdated, they've
converted to subversion and cvs is no longer available there.

cd /usr/src/patch-o-matic-ng
./runme extra

Allowed me to select the new iptables targets I wanted.

cd /usr/src/linux
make menuconfig && make && make modules_install && make install

I added the "extensions" USE flag to my /etc/make.conf, then reran the
iptables emerge.

It's all working fine now.

Thanks to both you and Bryce for the help you gave!

Cheers, Dave
Dave
to get tarpit support add the "extensions" USE flag when you emerge iptables
cynyr
I was reading about the TARPIT target in the man iptables documentation,
and thought I'd like to give it a try. Unfortunately though, it seems
not to be supported in the 2.6.15-1 Gentoo kernel.
Has anyone used the TARPIT target, or know of a way to get it into the
current kernel? Any experience with this target or 'gotchas' about it?
--
gentoo-***@gentoo.org mailing list
darren kirby
2006-02-24 08:10:14 UTC
Permalink
Post by Dave Jones
TARPIT
Just a caveat: Keep in mind that if a bad guy figures out you are using
TARPIT, the very nature of it (ie: persistant connections) opens your box to
a severe DOS vulnerability, especially if said bad guy has a bot-net at his
disposal.

If you know what you are doing, fair enough, but do keep this in mind if you
intend to use TARPIT on an outward facing box.

-d
--
darren kirby :: Part of the problem since 1976 :: http://badcomputer.org
"...the number of UNIX installations has grown to 10, with more expected..."
- Dennis Ritchie and Ken Thompson, June 1972
Loading...