Red Hat Bugzilla – Bug 169104
iptables TARPIT target incomplete support
Last modified: 2007-11-30 17:11:13 EST
From Bugzilla Helper: User-Agent: Mozilla/5.0 (compatible; Konqueror/3.4) KHTML/3.4.2 (like Gecko) Description of problem: iptables 1.3.0-2 supports/supplies the TARPIT target (ipt_TARPIT.so) but there is no corresponding .ko module in kernel-2.6.12-1.1447_FC4. The TARPIT target is therefore unusable. I realize this may be intentional as TARPIT is fairly new, but it is the ideal treatment for the increasing number of ssh-port-scans I am seeing lately. Version-Release number of selected component (if applicable): iptables-1.3.0-2 kernel-2.6.12-1.1447_FC4 How reproducible: Always Steps to Reproduce: 1. iptables <args> -j TARPIT Actual Results: The error message is: iptables: No chain/target/match by that name Expected Results: iptables -L -v should show the rule had been accepted Additional info: While this is a request-for-enhancement, please bear in mind its security implications in assigning a priority for action.
iptables is the userland configuration tool. Assigning to kernel.
This module isnt in the upstream kernel, and adding it to the Fedora kernel isn't going to happen. I'd suggest trying to get the netfilter folks to merge this upstream, and we'll pick it up in an update.