Bug 169104 - iptables TARPIT target incomplete support
iptables TARPIT target incomplete support
Status: CLOSED UPSTREAM
Product: Fedora
Classification: Fedora
Component: kernel (Show other bugs)
4
i386 Linux
medium Severity medium
: ---
: ---
Assigned To: Kernel Maintainer List
Brian Brock
: FutureFeature
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2005-09-22 21:57 EDT by Mike Pope
Modified: 2007-11-30 17:11 EST (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2005-09-23 15:53:38 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Mike Pope 2005-09-22 21:57:37 EDT
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (compatible; Konqueror/3.4) KHTML/3.4.2 (like Gecko)

Description of problem:
iptables 1.3.0-2 supports/supplies the TARPIT target (ipt_TARPIT.so) but there  
is no corresponding .ko module in kernel-2.6.12-1.1447_FC4.  The TARPIT target 
is therefore unusable. 
 
I realize this may be intentional as TARPIT is fairly new, but it is the ideal 
treatment for the increasing number of ssh-port-scans I am seeing lately. 

Version-Release number of selected component (if applicable):
iptables-1.3.0-2
kernel-2.6.12-1.1447_FC4

How reproducible:
Always

Steps to Reproduce:
1. iptables <args> -j TARPIT 
 
   

Actual Results:  The error message is: 
 
iptables: No chain/target/match by that name  
  

Expected Results:  iptables -L -v should show the rule had been accepted  

Additional info:

While this is a request-for-enhancement, please bear in mind its security 
implications in assigning a priority for action.
Comment 1 Thomas Woerner 2005-09-23 07:44:39 EDT
iptables is the userland configuration tool.

Assigning to kernel.
Comment 2 Dave Jones 2005-09-23 15:53:38 EDT
This module isnt in the upstream kernel, and adding it to the Fedora kernel
isn't going to happen.

I'd suggest trying to get the netfilter folks to merge this upstream, and we'll
pick it up in an update.

Note You need to log in before you can comment on or make changes to this bug.