Bug 169104

Summary: iptables TARPIT target incomplete support
Product: [Fedora] Fedora Reporter: Mike Pope <mpope>
Component: kernelAssignee: Kernel Maintainer List <kernel-maint>
Status: CLOSED UPSTREAM QA Contact: Brian Brock <bbrock>
Severity: medium Docs Contact:
Priority: medium    
Version: 4CC: twoerner, wtogami
Target Milestone: ---Keywords: FutureFeature
Target Release: ---   
Hardware: i386   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2005-09-23 19:53:38 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Mike Pope 2005-09-23 01:57:37 UTC 
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (compatible; Konqueror/3.4) KHTML/3.4.2 (like Gecko)

Description of problem:
iptables 1.3.0-2 supports/supplies the TARPIT target (ipt_TARPIT.so) but there  
is no corresponding .ko module in kernel-2.6.12-1.1447_FC4.  The TARPIT target 
is therefore unusable. 
 
I realize this may be intentional as TARPIT is fairly new, but it is the ideal 
treatment for the increasing number of ssh-port-scans I am seeing lately. 

Version-Release number of selected component (if applicable):
iptables-1.3.0-2
kernel-2.6.12-1.1447_FC4

How reproducible:
Always

Steps to Reproduce:
1. iptables <args> -j TARPIT 
 
   

Actual Results:  The error message is: 
 
iptables: No chain/target/match by that name  
  

Expected Results:  iptables -L -v should show the rule had been accepted  

Additional info:

While this is a request-for-enhancement, please bear in mind its security 
implications in assigning a priority for action.
Comment 1 Thomas Woerner 2005-09-23 11:44:39 UTC 
iptables is the userland configuration tool.

Assigning to kernel.
Comment 2 Dave Jones 2005-09-23 19:53:38 UTC 
This module isnt in the upstream kernel, and adding it to the Fedora kernel
isn't going to happen.

I'd suggest trying to get the netfilter folks to merge this upstream, and we'll
pick it up in an update.