Howto: Install TARPIT on Debian Stable (Lenny)

[quote]Add a TARPIT target to iptables, which captures and holds incoming TCP connections using no local per-connection resources. Connections are accepted, but immediately switched to the persist state (0 byte window), in which the remote side stops sending data and asks to continue every 60-240 seconds. Attempts to close the connection are ignored, forcing the remote side to time out the connection in 12-24 minutes.[/quote]

The clean way would be to compile your own kernel. The following “hack” does not require a custom kernel, nor does it require a reboot.

echo 'deb squeeze main' >> /etc/apt/sources.list
apt-get update
apt-get -t testing install iptables
apt-get -t testing install iptables-dev
apt-get -t testing install xtables-addons-common
# remove squeeze source, run apt-get update
aptitude install pkg-config libtext-csv-xs-perl linux-headers-`uname -r` iptables-dev
# if you want to use GeoIP target too, check forum thread linked to below
# 1.26, later versions did not compile
tar xf xtables-addons-1.26.tar.bz2
cd xtables-addons-1.26
./configure --with-xtlibdir=/lib/xtables
make install

Now you can use TARPIT in your iptables rules. Example :
# Allow all loopback (lo0) traffic and drop all traffic to 127/8 that doesn't use lo0
-A INPUT -i lo -j ACCEPT
# Allow all outbound traffic
# some random port >1024 for SSH
-A INPUT -p tcp --dport 23942 -j ACCEPT
# for example a webserver
-A INPUT -p tcp --dport 80 -j ACCEPT
-A INPUT -p tcp --dport 443 -j ACCEPT
# Allow several ICMP types
-A INPUT -p icmp -m icmp --icmp-type 3/1 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 3/3 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 3/4 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 4 -j ACCEPT
-A INPUT -p icmp --icmp-type 8 -m limit --limit 2/s -j ACCEPT
-A INPUT -p icmp --icmp-type 8 -j DROP
# log iptables denied calls
#-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7
-A INPUT -p tcp --syn -j TARPIT

iptables-restore < iptables.rules

Leave a Reply

Your email address will not be published. Required fields are marked *