[CentOS] TARPIT target in iptables

Sat Jul 8 21:26:53 UTC 2006
Barry Brimer <lists at brimer.org>


On Sat, 8 Jul 2006, Aleksandar Milivojevic wrote:

> Barry Brimer wrote:
>> Has anyone been successful at using the TARPIT target in iptables under 
>> CentOS 4?
>
> I don't have any CentOS4 box handy to check it out, but it seems like the 
> kernel module is missing.  Netfilter has two component, userspace (in 
> /lib/iptables) and kernel (in your kernel's directory under /lib/modules). 
> The userspace as packaged by Red Hat often has many more modules than 
> actually supported by kernel.

What Alex has described seems to be the case.  I exploded the source from 
the centosplus kernel rpm and discovered that the source for the TARPIT 
target does not exist.  Does anyone know why Red Hat includes iptables 
userspace modules without the corresponding kernel modules?  Is this an 
indication of future inclusion?  It appears that building support for 
iptables modules is a bit trickier that building standard kernel modules. 
The best writeup I have found thus far is at: 
<http://www.centos.org/modules/newbb/viewtopic.php?topic_id=4053>

It seems to me that it would be quite powerful to have iptables string 
match and TARPIT target support.  Are there any plans to include any of 
the extra iptables functionality in the centosplus kernel?


If anyone has any information on building iptables kernel modules, 
particularly those included in patch-o-matic-ng to work with the 
centosplus (or any other) kernel without compiling an entire kernel, 
please let me know.

Thanks,
Barry