[Firehol-support] A Tarpit

Nicole King nicole at catsmuvva.net
Mon May 22 20:23:55 BST 2006 

Dear All,
 
Being rather sick of idiots who can't be bothered to secure their PCs and
host worms, viruses and other malware, I installed the TARPIT (
<http://www.netfilter.org/patch-o-matic/pom-extra.html#pom-extra-TARPIT)>
http://www.netfilter.org/patch-o-matic/pom-extra.html#pom-extra-TARPIT)
destination for iptables on my router.
 
I fiddled around quite a lot with custom rules in firehol, but could quite
get the behaviour from the iptables that I wanted and so was forced to
modify the source. I've added a new keyword "tarpit" which works rather like
the "protection" keyword. It takes no parameters, and is used when
finalising an interface or router chain. When present, this keyword causes
all unmatched tcp traffic to be sent to the tarpit.
 
The diff is below.
 
Regards
 
Nicole
 
An example of the use in a config file
~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
interface ppp0 outside src not ${UNROUTABLE_IPS}
  policy drop
  tarpit
  ... 
 
router outside_int inface ppp0 outface eth0 src @${UNROUTABLE_IPS} dst
"192.168.0.0/24"
  protection strong
  tarpit
  route http accept
  ...
 
The diff is
~~~~~~~~
 
--- firehol 2006-05-22 10:44:17.000000000 +0100
+++ firehol.new 2006-05-22 10:46:46.000000000 +0100
@@ -410,6 +410,7 @@
work_policy="${DEFAULT_INTERFACE_POLICY}"
work_error=0
work_function="Initializing"
+work_tarpit=0
 
 
#
----------------------------------------------------------------------------
--
@@ -2371,6 +2372,16 @@
#
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XX
#
----------------------------------------------------------------------------
--
 
+tarpit() {
+ work_realcmd_secondary ${FUNCNAME} "$@"
+ 
+ require_work set any || return 1
+
+ set_work_function "Setting tarpit on interface '${work_inface}'
${work_name}"
+ work_tarpit=1
+
+ return 0
+}
 
#
----------------------------------------------------------------------------
--
# Change the policy of an interface
@@ -2792,6 +2803,7 @@
work_inface=
work_outface=
work_policy="${DEFAULT_INTERFACE_POLICY}"
+ work_tarpit=0
 
return 0
}
@@ -2826,6 +2838,10 @@
rule chain "in_${work_name}" state RELATED action ACCEPT || return 1
rule chain "out_${work_name}" state RELATED action ACCEPT || return 1
 
+ if [ ${work_tarpit} -eq 1 ]; then
+ rule chain "in_${work_name}" "${inlog[@]}" proto tcp action tarpit ||
return 1
+ fi
+
rule chain "in_${work_name}" "${inlog[@]}" action ${work_policy} || return 1
rule reverse chain "out_${work_name}" "${outlog[@]}" action ${work_policy}
|| return 1
 
@@ -3575,6 +3591,10 @@
action="DROP"
;;
 
+ tarpit|TARPIT)
+ action="TARPIT"
+ ;;
+ 
reject|REJECT)
action="REJECT"
if [ "${1}" = "with" ]
 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.firehol.org/pipermail/firehol-support/attachments/20060522/ca8fee6e/attachment-0002.html>

More information about the Firehol-support mailing list