Red Hat Bugzilla – Bug 169104
iptables TARPIT target incomplete support
Last modified: 2007-11-30 17:11:13 EST
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (compatible; Konqueror/3.4) KHTML/3.4.2 (like Gecko)
Description of problem:
iptables 1.3.0-2 supports/supplies the TARPIT target (ipt_TARPIT.so) but there
is no corresponding .ko module in kernel-2.6.12-1.1447_FC4. The TARPIT target
is therefore unusable.
I realize this may be intentional as TARPIT is fairly new, but it is the ideal
treatment for the increasing number of ssh-port-scans I am seeing lately.
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. iptables <args> -j TARPIT
Actual Results: The error message is:
iptables: No chain/target/match by that name
Expected Results: iptables -L -v should show the rule had been accepted
While this is a request-for-enhancement, please bear in mind its security
implications in assigning a priority for action.
iptables is the userland configuration tool.
Assigning to kernel.
This module isnt in the upstream kernel, and adding it to the Fedora kernel
isn't going to happen.
I'd suggest trying to get the netfilter folks to merge this upstream, and we'll
pick it up in an update.