[clug] "target problem" with iptables and TARPIT

Alex Satrapa grail at goldweb.com.au
Thu Dec 2 04:48:15 GMT 2004

On 2 Dec 2004, at 12:30, Tony Breeds wrote:

> Silly question, do you actually have a TARPIT target?
> What does: "iptables -L | egrep Chain" say?

It's not a target chain, it's a target policy - TARPIT is supposed to 
be the same type of thing as ACCEPT, DENY, REJECT, REDIRECT, 
MASQUERADE, LOG, etc. These are the targets supplied by the ipt_* 
modules such as ipt_MASQUERADE.o. So in the same way that you can 
specify "... -j LOG --log-prefix='sample log rule'" without having a 
"LOG" target chain, you can specify "... -j TARPIT" without having a 
TARPIT target chain.

Of course, having explained all that, I realise now what my problem is: 
TARPIT can only be used with the TCP protocol, and I was trying to 
specify it as a target for the IP protocol. The correct rule for me to 
use is:

iptables -I FORWARD 8 --source --protocol tcp -j TARPIT

(because I want to insert this rule into the 8th position in the 
FORWARD table). Now it's working fine, and the next time those 
Vietnamese Cr4X0Rz try to crack my network, they'll find it a little 
less fun to explore.


More information about the linux mailing list