Has anyone been successful at using the TARPIT target in iptables under CentOS 4?
I am using CentOS 4.3, fully updated with iptables-1.2.11-3.1.RHEL4 and kernel-2.6.9-34.107.plus.c4
Doing a locate on TARPIT returns:
# locate TARPIT /lib/iptables/libipt_TARPIT.so
This makes me think that the TARPIT target would be valid, however when I try to use it, I get the following reponse:
# iptables -A INPUT -p tcp -m tcp --dport 80 -j TARPIT iptables: No chain/target/match by that name
I am following the example located at the Netfilter website for rule creation: http://www.netfilter.org/patch-o-matic/pom-extra.html#pom-extra-TARPIT
I have *NOT* rebuilt my kernel, or any tools because on the surface, as it does not appear necessary.
Any help would be greatly appreciated.
Thanks, Barry
Barry Brimer wrote:
Has anyone been successful at using the TARPIT target in iptables under CentOS 4?
I don't have any CentOS4 box handy to check it out, but it seems like the kernel module is missing. Netfilter has two component, userspace (in /lib/iptables) and kernel (in your kernel's directory under /lib/modules). The userspace as packaged by Red Hat often has many more modules than actually supported by kernel.
On Sat, 8 Jul 2006, Aleksandar Milivojevic wrote:
Barry Brimer wrote:
Has anyone been successful at using the TARPIT target in iptables under CentOS 4?
I don't have any CentOS4 box handy to check it out, but it seems like the kernel module is missing. Netfilter has two component, userspace (in /lib/iptables) and kernel (in your kernel's directory under /lib/modules). The userspace as packaged by Red Hat often has many more modules than actually supported by kernel.
What Alex has described seems to be the case. I exploded the source from the centosplus kernel rpm and discovered that the source for the TARPIT target does not exist. Does anyone know why Red Hat includes iptables userspace modules without the corresponding kernel modules? Is this an indication of future inclusion? It appears that building support for iptables modules is a bit trickier that building standard kernel modules. The best writeup I have found thus far is at: http://www.centos.org/modules/newbb/viewtopic.php?topic_id=4053
It seems to me that it would be quite powerful to have iptables string match and TARPIT target support. Are there any plans to include any of the extra iptables functionality in the centosplus kernel?
If anyone has any information on building iptables kernel modules, particularly those included in patch-o-matic-ng to work with the centosplus (or any other) kernel without compiling an entire kernel, please let me know.
Thanks, Barry
Barry Brimer napsal(a):
It seems to me that it would be quite powerful to have iptables string match and TARPIT target support. Are there any plans to include any of the extra iptables functionality in the centosplus kernel?
If anyone has any information on building iptables kernel modules, particularly those included in patch-o-matic-ng to work with the centosplus (or any other) kernel without compiling an entire kernel, please let me know.
Well, I have plans to work on modules for kernel and iptables. I have ipp2p rpm. Milan has created CONNLIMIT rpm package. I would start here http://ftp.pslib.cz/pub/users/Milan.Kerslager/RHEL-4/stable/SPECS/kernel-mod... It would be nice to create repo with other modules. I'm not still sure which way to go. Create new repo or submit these packages to upstream (Fedora Extras) or send then to e.g. Dag. What's you suggestion? As to naming convention, Fedora has created new rules for kernel modules http://fedoraproject.org/wiki/Packaging/KernelModules One thing to point: right now we are not able to easily build and check these packages with Mock http://fedoraproject.org/wiki/Projects/Mock Iptables -devel package does not contain header files http://bugs.centos.org/view.php?id=1380 David
Barry Brimer napsal(a):
Has anyone been successful at using the TARPIT target in iptables under CentOS 4?
I am using CentOS 4.3, fully updated with iptables-1.2.11-3.1.RHEL4 and kernel-2.6.9-34.107.plus.c4
Doing a locate on TARPIT returns:
# locate TARPIT /lib/iptables/libipt_TARPIT.so
This makes me think that the TARPIT target would be valid, however when I try to use it, I get the following reponse:
# iptables -A INPUT -p tcp -m tcp --dport 80 -j TARPIT iptables: No chain/target/match by that name
I am following the example located at the Netfilter website for rule creation: http://www.netfilter.org/patch-o-matic/pom-extra.html#pom-extra-TARPIT
I have *NOT* rebuilt my kernel, or any tools because on the surface, as it does not appear necessary.
Any help would be greatly appreciated.
Thanks, Barry
Barry, would you test my kernel tarpit module? If so, I'd send the link. Thanks, David
-
Aleksandar Milivojevic -
Barry Brimer -
David Hrbáč