How to tarpit without loading conntrack modules?
Juan Carlos Castro y Castro
jcastro at instant.com.br
Thu Aug 2 03:53:07 CEST 2007
(Please CC me as I'm not on the list)
Is it possible to use the TARPIT module without auto-loading conntrack
modules and still leaving the machine able to make outbound connections?
I tried the following and it didn't work. Using -m state --state
ESTABLISHED loads the conntrack modules and therefore leaves the machine
open to resource waste by connections that get tarpitted. Is there a
solution? Or will I have to separate a machine for the purpose, and
leave it unable to make outbound TCP connections?
-A INPUT -s 127.0.0.0/8 -j ACCEPT
-A INPUT -s (some source) -p tcp -m tcp --dport (some port) -j ACCEPT
-A INPUT -s (other source) -p tcp -m tcp --dport (other port) -j ACCEPT
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j TARPIT
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK ACK -j TARPIT
More information about the netfilter
mailing list