forked from extern/shorewall_code
Implement TARPIT target
Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
parent
f96baca780
commit
15a2fd14f9
@ -2392,6 +2392,7 @@ determine_capabilities() {
|
|||||||
MASQUERADE_TGT=
|
MASQUERADE_TGT=
|
||||||
UDPLITEREDIRECT=
|
UDPLITEREDIRECT=
|
||||||
NEW_TOS_MATCH=
|
NEW_TOS_MATCH=
|
||||||
|
TARPIT_TARGET=
|
||||||
|
|
||||||
AMANDA_HELPER=
|
AMANDA_HELPER=
|
||||||
FTP_HELPER=
|
FTP_HELPER=
|
||||||
@ -2545,6 +2546,8 @@ determine_capabilities() {
|
|||||||
qt $NFACCT del $chain
|
qt $NFACCT del $chain
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
qt $g_tool -A $chain -p tcp -j TARPIT && TARPIT_TARGET=Yes
|
||||||
|
|
||||||
if [ -n "$MANGLE_ENABLED" ]; then
|
if [ -n "$MANGLE_ENABLED" ]; then
|
||||||
qt $g_tool -t mangle -N $chain
|
qt $g_tool -t mangle -N $chain
|
||||||
|
|
||||||
@ -2822,6 +2825,7 @@ report_capabilities_unsorted() {
|
|||||||
report_capability "MASQUERADE Target" $MASQUERADE_TGT
|
report_capability "MASQUERADE Target" $MASQUERADE_TGT
|
||||||
report_capability "UDPLITE Port Redirection" $UDPLITEREDIRECT
|
report_capability "UDPLITE Port Redirection" $UDPLITEREDIRECT
|
||||||
report_capability "New tos Match" $NEW_TOS_MATCH
|
report_capability "New tos Match" $NEW_TOS_MATCH
|
||||||
|
report_capability "TARPIT Target" $TARPIT_TARGET
|
||||||
|
|
||||||
report_capability "Amanda Helper" $AMANDA_HELPER
|
report_capability "Amanda Helper" $AMANDA_HELPER
|
||||||
report_capability "FTP Helper" $FTP_HELPER
|
report_capability "FTP Helper" $FTP_HELPER
|
||||||
@ -2949,6 +2953,7 @@ report_capabilities_unsorted1() {
|
|||||||
report_capability1 MASQUERADE_TGT
|
report_capability1 MASQUERADE_TGT
|
||||||
report_capability1 UDPLITEREDIRECT
|
report_capability1 UDPLITEREDIRECT
|
||||||
report_capability1 NEW_TOS_MATCH
|
report_capability1 NEW_TOS_MATCH
|
||||||
|
report_capability1 TARPIT_TARGET
|
||||||
|
|
||||||
report_capability1 AMANDA_HELPER
|
report_capability1 AMANDA_HELPER
|
||||||
report_capability1 FTP_HELPER
|
report_capability1 FTP_HELPER
|
||||||
|
@ -110,6 +110,7 @@ our @EXPORT = ( qw(
|
|||||||
INLINERULE
|
INLINERULE
|
||||||
OPTIONS
|
OPTIONS
|
||||||
IPTABLES
|
IPTABLES
|
||||||
|
TARPIT
|
||||||
FILTER_TABLE
|
FILTER_TABLE
|
||||||
NAT_TABLE
|
NAT_TABLE
|
||||||
MANGLE_TABLE
|
MANGLE_TABLE
|
||||||
@ -426,6 +427,7 @@ use constant { STANDARD => 0x1, #defined by Netfilter
|
|||||||
INLINERULE => 0x40000, #INLINE
|
INLINERULE => 0x40000, #INLINE
|
||||||
OPTIONS => 0x80000, #Target Accepts Options
|
OPTIONS => 0x80000, #Target Accepts Options
|
||||||
IPTABLES => 0x100000, #IPTABLES or IP6TABLES
|
IPTABLES => 0x100000, #IPTABLES or IP6TABLES
|
||||||
|
TARPIT => 0x200000, #TARPIT
|
||||||
|
|
||||||
FILTER_TABLE => 0x1000000,
|
FILTER_TABLE => 0x1000000,
|
||||||
MANGLE_TABLE => 0x2000000,
|
MANGLE_TABLE => 0x2000000,
|
||||||
@ -2858,6 +2860,7 @@ sub initialize_chain_table($) {
|
|||||||
'HELPER' => STANDARD + HELPER + NATONLY, #Actually RAWONLY
|
'HELPER' => STANDARD + HELPER + NATONLY, #Actually RAWONLY
|
||||||
'INLINE' => INLINERULE,
|
'INLINE' => INLINERULE,
|
||||||
'IPTABLES' => IPTABLES,
|
'IPTABLES' => IPTABLES,
|
||||||
|
'TARPIT' => STANDARD + TARPIT + OPTIONS,
|
||||||
);
|
);
|
||||||
|
|
||||||
for my $chain ( qw(OUTPUT PREROUTING) ) {
|
for my $chain ( qw(OUTPUT PREROUTING) ) {
|
||||||
@ -2923,6 +2926,7 @@ sub initialize_chain_table($) {
|
|||||||
'HELPER' => STANDARD + HELPER + NATONLY, #Actually RAWONLY
|
'HELPER' => STANDARD + HELPER + NATONLY, #Actually RAWONLY
|
||||||
'INLINE' => INLINERULE,
|
'INLINE' => INLINERULE,
|
||||||
'IP6TABLES' => IPTABLES,
|
'IP6TABLES' => IPTABLES,
|
||||||
|
'TARPIT' => STANDARD + TARPIT + OPTIONS,
|
||||||
);
|
);
|
||||||
|
|
||||||
for my $chain ( qw(OUTPUT PREROUTING) ) {
|
for my $chain ( qw(OUTPUT PREROUTING) ) {
|
||||||
|
@ -394,6 +394,7 @@ our %capdesc = ( NAT_ENABLED => 'NAT',
|
|||||||
MASQUERADE_TGT => 'MASQUERADE Target',
|
MASQUERADE_TGT => 'MASQUERADE Target',
|
||||||
UDPLITEREDIRECT => 'UDPLITE Port Redirection',
|
UDPLITEREDIRECT => 'UDPLITE Port Redirection',
|
||||||
NEW_TOS_MATCH => 'New tos Match',
|
NEW_TOS_MATCH => 'New tos Match',
|
||||||
|
TARPIT_TARGET => 'TARPIT Target',
|
||||||
|
|
||||||
AMANDA_HELPER => 'Amanda Helper',
|
AMANDA_HELPER => 'Amanda Helper',
|
||||||
FTP_HELPER => 'FTP Helper',
|
FTP_HELPER => 'FTP Helper',
|
||||||
@ -979,6 +980,7 @@ sub initialize( $;$$) {
|
|||||||
UDPLITEREDIRECT => undef,
|
UDPLITEREDIRECT => undef,
|
||||||
NEW_TOS_MATCH => undef,
|
NEW_TOS_MATCH => undef,
|
||||||
REAP_OPTION => undef,
|
REAP_OPTION => undef,
|
||||||
|
TARPIT_TARGET => undef,
|
||||||
|
|
||||||
AMANDA_HELPER => undef,
|
AMANDA_HELPER => undef,
|
||||||
FTP_HELPER => undef,
|
FTP_HELPER => undef,
|
||||||
@ -4226,6 +4228,10 @@ sub Addrtype() {
|
|||||||
qt1( "$iptables $iptablesw -A $sillyname -m addrtype --src-type BROADCAST -j ACCEPT" );
|
qt1( "$iptables $iptablesw -A $sillyname -m addrtype --src-type BROADCAST -j ACCEPT" );
|
||||||
}
|
}
|
||||||
|
|
||||||
|
sub Tarpit_Target() {
|
||||||
|
qt1( "$iptables $iptablesw -A $sillyname -p tcp -j TARPIT" );
|
||||||
|
}
|
||||||
|
|
||||||
sub Tcpmss_Match() {
|
sub Tcpmss_Match() {
|
||||||
qt1( "$iptables $iptablesw -A $sillyname -p tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1000:1500 -j ACCEPT" );
|
qt1( "$iptables $iptablesw -A $sillyname -p tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1000:1500 -j ACCEPT" );
|
||||||
}
|
}
|
||||||
@ -4540,6 +4546,7 @@ our %detect_capability =
|
|||||||
SIP0_HELPER => \&SIP0_Helper,
|
SIP0_HELPER => \&SIP0_Helper,
|
||||||
SNMP_HELPER => \&SNMP_Helper,
|
SNMP_HELPER => \&SNMP_Helper,
|
||||||
STATISTIC_MATCH => \&Statistic_Match,
|
STATISTIC_MATCH => \&Statistic_Match,
|
||||||
|
TARPIT_TARGET => \&Tarpit_Target,
|
||||||
TCPMSS_MATCH => \&Tcpmss_Match,
|
TCPMSS_MATCH => \&Tcpmss_Match,
|
||||||
TFTP_HELPER => \&TFTP_Helper,
|
TFTP_HELPER => \&TFTP_Helper,
|
||||||
TFTP0_HELPER => \&TFTP0_Helper,
|
TFTP0_HELPER => \&TFTP0_Helper,
|
||||||
@ -4692,6 +4699,7 @@ sub determine_capabilities() {
|
|||||||
$capabilities{MASQUERADE_TGT} = detect_capability( 'MASQUERADE_TGT' );
|
$capabilities{MASQUERADE_TGT} = detect_capability( 'MASQUERADE_TGT' );
|
||||||
$capabilities{UDPLITEREDIRECT} = detect_capability( 'UDPLITEREDIRECT' );
|
$capabilities{UDPLITEREDIRECT} = detect_capability( 'UDPLITEREDIRECT' );
|
||||||
$capabilities{NEW_TOS_MATCH} = detect_capability( 'NEW_TOS_MATCH' );
|
$capabilities{NEW_TOS_MATCH} = detect_capability( 'NEW_TOS_MATCH' );
|
||||||
|
$capabilities{TARPIT_MATCH} = detect_capability( 'TARPIT_MATCH' );
|
||||||
|
|
||||||
unless ( have_capability 'CT_TARGET' ) {
|
unless ( have_capability 'CT_TARGET' ) {
|
||||||
$capabilities{HELPER_MATCH} = detect_capability 'HELPER_MATCH';
|
$capabilities{HELPER_MATCH} = detect_capability 'HELPER_MATCH';
|
||||||
|
@ -2211,6 +2211,7 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$ ) {
|
|||||||
my $blacklist = ( $section == BLACKLIST_SECTION );
|
my $blacklist = ( $section == BLACKLIST_SECTION );
|
||||||
my $matches = $rule;
|
my $matches = $rule;
|
||||||
my $raw_matches = '';
|
my $raw_matches = '';
|
||||||
|
my $exceptionrule = '';
|
||||||
|
|
||||||
if ( $inchain = defined $chainref ) {
|
if ( $inchain = defined $chainref ) {
|
||||||
( $inaction, undef, undef, undef ) = split /:/, $normalized_action = $chainref->{action}, 4 if $chainref->{action};
|
( $inaction, undef, undef, undef ) = split /:/, $normalized_action = $chainref->{action}, 4 if $chainref->{action};
|
||||||
@ -2284,7 +2285,7 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$ ) {
|
|||||||
validate_level( $action );
|
validate_level( $action );
|
||||||
$loglevel = supplied $loglevel ? join( ':', $action, $loglevel ) : $action;
|
$loglevel = supplied $loglevel ? join( ':', $action, $loglevel ) : $action;
|
||||||
$action = 'LOG';
|
$action = 'LOG';
|
||||||
} elsif ( ! ( $actiontype & (ACTION | INLINE | IPTABLES ) ) ) {
|
} elsif ( ! ( $actiontype & (ACTION | INLINE | IPTABLES | TARPIT ) ) ) {
|
||||||
fatal_error "'builtin' actions may only be used in INLINE rules" if $actiontype == USERBUILTIN;
|
fatal_error "'builtin' actions may only be used in INLINE rules" if $actiontype == USERBUILTIN;
|
||||||
fatal_error "The $basictarget TARGET does not accept a parameter" unless $param eq '';
|
fatal_error "The $basictarget TARGET does not accept a parameter" unless $param eq '';
|
||||||
}
|
}
|
||||||
@ -2294,7 +2295,7 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$ ) {
|
|||||||
#
|
#
|
||||||
fatal_error "The +, - and ! modifiers are not allowed in the blrules file" if $action =~ s/[-+!]$// && $blacklist;
|
fatal_error "The +, - and ! modifiers are not allowed in the blrules file" if $action =~ s/[-+!]$// && $blacklist;
|
||||||
|
|
||||||
unless ( $actiontype & ( ACTION | INLINE | IPTABLES ) ) {
|
unless ( $actiontype & ( ACTION | INLINE | IPTABLES | TARPIT ) ) {
|
||||||
#
|
#
|
||||||
# Catch empty parameter list
|
# Catch empty parameter list
|
||||||
#
|
#
|
||||||
@ -2398,6 +2399,20 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$ ) {
|
|||||||
$action = '';
|
$action = '';
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
|
|
||||||
|
TARPIT => sub {
|
||||||
|
require_capability 'TARPIT_TARGET', 'The TARPIT Target', 's';
|
||||||
|
|
||||||
|
fatal_error "TARPIT is only valid with PROTO tcp (6)" if ( resolve_proto( $proto ) || 0 ) != TCP;
|
||||||
|
|
||||||
|
if ( $param ) {
|
||||||
|
fatal_error "TARPIT Parameter must be 'tarpit', 'honeypot' or 'reset'" unless $param =~ /^(tarpit|honeypot|reset)$/;
|
||||||
|
$action = "TARPIT --$param";
|
||||||
|
$log_action = 'TARPIT';
|
||||||
|
}
|
||||||
|
|
||||||
|
$exceptionrule = '-p 6 ';
|
||||||
|
},
|
||||||
);
|
);
|
||||||
|
|
||||||
my $function = $functions{ $bt };
|
my $function = $functions{ $bt };
|
||||||
@ -2831,7 +2846,7 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$ ) {
|
|||||||
$action ,
|
$action ,
|
||||||
$loglevel ,
|
$loglevel ,
|
||||||
$log_action ,
|
$log_action ,
|
||||||
'' )
|
$exceptionrule )
|
||||||
unless unreachable_warning( $wildcard || $section == DEFAULTACTION_SECTION, $chainref );
|
unless unreachable_warning( $wildcard || $section == DEFAULTACTION_SECTION, $chainref );
|
||||||
}
|
}
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user