IPtables Tarpit Support in Karmic

Edit: If you’re using Ubuntu 10.04 or higher this is no longer needed. The xtables-addons in the repositories compiles just fine.

IPtables has a nifty feature called Tarpit. In terms of IPtables a tarpit

“captures and holds incoming TCP connections using no local per-connection resources. Connections are accepted, but immediately switched to the persist state (0 byte window), in which the remote side stops sending data and asks to continue every 60-240 seconds. Attempts to close the connection are ignored, forcing the remote side to time out the connection in 12-24 minutes.” source

This basically means that it will be impossible for the person initiating the connection to close it until it times out, wasting their resources. ๐Ÿ˜ˆ Great for those pesky spammers that won’t leave your server alone. However, this feature is not considered stable so it is not included in the standard version of IPtables and therefore, Ubuntu does not have this functionality. However, Karmic offers a simple way to install it.

Karmic has a package in the repos called “netfilter-extensions-source” which contains the source to the Tarpit module as well as some other additions to IPtables, however according to upstream this package is deprecated. It’s also broken. So the package we need to use is called “xtables-addons-source”. However that’s also broken in Karmic. Fun fun. ๐Ÿ™„ So we’ll need to steal the version from Lucid.

wget http://archive.ubuntu.com/ubuntu/pool/universe/x/xtables-addons/xtables-addons-source_1.21-1_all.deb
wget http://archive.ubuntu.com/ubuntu/pool/universe/x/xtables-addons/xtables-addons-common_1.21-1_i386.deb
# For 64bit:
wget http://archive.ubuntu.com/ubuntu/pool/universe/x/xtables-addons/xtables-addons-common_1.21-1_amd64.deb

Now install them. If you’re doing this on a server I recommend using the command lineย  version of gdebi since it will help with dependencies. We’ll also need Quilt so that it can apply some patches when it gets compiled.

sudo apt-get install gdebi-core quilt
sudo gdebi xtables-addons-source_1.21-1_all.deb
sudo gdebi xtables-addons-common_1.21-1_i386.deb
# 64bit:
sudo gdebi xtables-addons-common_1.21-1_amd64.deb

Now just run the following command to compile and install it

sudo module-assistant --verbose --text-mode auto-install xtables-addons

Say yes to any additional packages it wants to install and then it will automatically compile it, package it into a deb and install it.

Now you can create some rules using the Tarpit module.

sudo iptables -A INPUT -p tcp -m tcp -dport 80 -j TARPIT

This will create a tarpit on port 80. Heads up if you’re actually running something on that port as it will become inaccessible.

Or perhaps you want to target a specific IP

sudo iptables -A INPUT -s x.x.x.x -p tcp -j TARPIT

Where x.x.x.x is the IP address.

These are only a couple basic examples. There’s a lot more things you can do with IPtables and Tarpitting which are beyond the scope of this post but a quick Googling will reveal a lot of good info on IPtables. For a basic intro to IPtables I recommend reading this.

Update: If you get a kernel update that bumps the ABI (e.g. 2.6.31-15-generic to 2.6.31-16-generic) then you will have to rebuild the xtables package after rebooting into the new kernel. To do this just rerun the module-assistant command

sudo module-assistant --verbose --text-mode auto-install xtables-addons

Actually I’ve found out this is better since you can recompile it before rebooting thus eliminating any period of time without a firewall.

sudo module-assistant --verbose --text-mode -l <kernel-version> auto-install xtables-addons

Replace <kernel-version> with the new kernel such as “2.6.31-17-generic”