iptables -j TARPIT

2011-10-24
2013-03-05
  • Jack D. Pond
    Jack D. Pond
    2011-10-24

    When trying to use TARPIT with a more current Kernal (3.0.0-12-server) I would consistently get the following error when I ran the firewall script as described in the Manual "5.3.6.1. Using Custom Service Object in Rules":

    x_tables: ip_tables: TARPIT target: only valid for protocol 6
    

    Here's a couple of hints that might get you there quicker:

    1. The newer versions allow you to use TARPIT from extensions instead of requiring a recompile.  You can add those extensions with

      sudo apt-get install xtables-addons-common
      
    2. For iptables, you need explicitly specify in th custom action that the rule is for Protocol 6 (tcp) in the custom code using something like:

      -m tcp -p tcp -j TARPIT
      
     
  • Mike Horn
    Mike Horn
    2011-10-27

    Did you set the Protocol Name in the custom service to "tcp"?  If you do this it will automatically generate the "-p tcp" portion of the rule.

    Btw, a handy trick to see what fwbuilder will generate for a rule is to select the rule in question and then right-click and select "Compile Rule" from the menu.

     
  • Jack D. Pond
    Jack D. Pond
    2011-10-27

    Good question Mike, but yes I did (and I found about the "compile rule" by accident - enormously useful!)

    It produced a chain:

    $IPTABLES -A In_RULE_17 -j TARPIT
    

    iptables (at least Kernal V 3.x) didn't like this.  it wanted:

    $IPTABLES -A In_RULE_17  -p tcp -m tcp -j TARPIT
    

    Somehow it didn't recognize that earlier in the chain, the correct protocol had already been identified:

    $IPTABLES -A INPUT -i eth0  -p tcp -m tcp  --dport 22 -m recent -m state --state NEW --name SSHBadGuy --update --seconds 60 --hitcount 2 --rsource  -j In_RULE_17
    
     
  • Jack D. Pond
    Jack D. Pond
    2011-10-27

    I guess I should have given the entire rule as generated in case it's not working as I think it should:

    $IPTABLES -N In_RULE_17
    $IPTABLES -A INPUT -i eth0  -p tcp -m tcp  --dport 22 -m recent -m state --state NEW --name SSHBadGuy --update --seconds 60 --hitcount 2 --rsource  -j In_RULE_17
    $IPTABLES -A FORWARD -i eth0  -p tcp -m tcp  --dport 22 -m recent -m state --state NEW --name SSHBadGuy --update --seconds 60 --hitcount 2 --rsource  -j In_RULE_17
    $IPTABLES -A In_RULE_17  -j LOG  --log-level warning --log-prefix "SSH Tarpit"
    $IPTABLES -A In_RULE_17  -p tcp -m tcp -j TARPIT
    
     
  • Vadim Kurland
    Vadim Kurland
    2011-11-07

    you can put string " -p tcp -m tcp -j TARPIT" in the custom action configuration to get the combination required by iptables 3.x