[gentoo-user] TARPIT iptables target

[gentoo-user] TARPIT iptables target

[Dave Jones]

Hi,

I was reading about the TARPIT target in the man iptables documentation,
and thought I'd like to give it a try.  Unfortunately though, it seems
not to be supported in the 2.6.15-1 Gentoo kernel.

Has anyone used the TARPIT target, or know of a way to get it into the
current kernel?  Any experience with this target or 'gotchas' about it?

Cheers, Dave
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] TARPIT iptables target

[Andrew Frink]

[-- Attachment #1: Type: text/plain, Size: 564 bytes --]

Dave
to get tarpit support add the "extensions" USE flag when you emerge iptables
cynyr

On 2/22/06, Dave Jones <Dave.Jones@xs4all.nl> wrote:
>
> Hi,
>
> I was reading about the TARPIT target in the man iptables documentation,
> and thought I'd like to give it a try.  Unfortunately though, it seems
> not to be supported in the 2.6.15-1 Gentoo kernel.
>
> Has anyone used the TARPIT target, or know of a way to get it into the
> current kernel?  Any experience with this target or 'gotchas' about it?
>
> Cheers, Dave
> --
> gentoo-user@gentoo.org mailing list
>

[-- Attachment #2: Type: text/html, Size: 934 bytes --]

Re: [gentoo-user] TARPIT iptables target

[Dave Jones]

Hi Andrew,

Thank you for the tip about TARPIT, the problem is now solved.

To complete the fix I downloaded patch-o-matic-ng and the iptables
source from netfilter.org:

cd /usr/src
svn co https://svn.netfilter.org/netfilter/trunk/patch-o-matic-ng
svn co https://svn.netfilter.org/netfilter/trunk/iptables

The documentation on using cvs on netfilter.org is outdated, they've
converted to subversion and cvs is no longer available there.

cd /usr/src/patch-o-matic-ng
./runme extra

Allowed me to select the new iptables targets I wanted.

cd /usr/src/linux
make menuconfig && make && make modules_install && make install

I added the "extensions" USE flag to my /etc/make.conf, then reran the
iptables emerge.

It's all working fine now.

Thanks to both you and Bryce for the help you gave!

Cheers, Dave

Andrew Frink wrote on 02/23/06 15:23:
> Dave
> to get tarpit support add the "extensions" USE flag when you emerge iptables
> cynyr

>     I was reading about the TARPIT target in the man iptables documentation,
>     and thought I'd like to give it a try.  Unfortunately though, it seems
>     not to be supported in the 2.6.15-1 Gentoo kernel.

>     Has anyone used the TARPIT target, or know of a way to get it into the
>     current kernel?  Any experience with this target or 'gotchas' about it?
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] TARPIT iptables target

[darren kirby]

[-- Attachment #1: Type: text/plain, Size: 615 bytes --]

quoth the Dave Jones:
> TARPIT

Just a caveat: Keep in mind that if a bad guy figures out you are using 
TARPIT, the very nature of it (ie: persistant connections) opens your box to 
a severe DOS vulnerability, especially if said bad guy has a bot-net at his 
disposal.

If you know what you are doing, fair enough, but do keep this in mind if you 
intend to use TARPIT on an outward facing box.

-d
-- 
darren kirby :: Part of the problem since 1976 :: http://badcomputer.org
"...the number of UNIX installations has grown to 10, with more expected..."
- Dennis Ritchie and Ken Thompson, June 1972

[-- Attachment #2: Type: application/pgp-signature, Size: 191 bytes --]