Jo-Philipp, Felix, et al:

I’ve added the following to my /etc/firewall.user but I was thinking it might 
be useful for others, and worth integrating into the firewall.

It’s currently implemented in Shell, but should be trivial in C.

The relevant config (/etc/config/firewall) looks like:

config tarpit
        option name 'misc'
        option src wan
        option dest_port 
'22,23,113,119,123,161,220,222,389,397,515,623,873,1433,1720,1723,1812,2323,2375-2376,3128,3306,3388-3398,5000-5001,5038,5060,5351,5353,5358,5431,5555,5900-5959,6000-6063,6379,7000-7009,7547,9000,9200,10250,11211'

config tarpit
        option name 'mail'
        option src wan
        option dest_port '110,143,465,995'

config tarpit
        option name 'web'
        option src wan
        option dest_port '81-94,1080,8000-8001,8080-8088,8181,8888'

config tarpit
        option name 'netbios'
        option src wan
        option dest_port '137-139’

The scripting looks like:

…

tarpit_add() {
        local cfg="$1"
        local name src ports

        config_get name "$cfg" name
        [ -n "$name" ] || return 0
        config_get src "$cfg" "src"
        [ -n "$src" ] || return 0

        local initial="${src:0:1}"

        iptables -D "input_${src}_rule" -m set --match-set "tarpit_${name}" dst 
-j "i${initial}r_${name}" 2>/dev/null
        iptables -F "i${initial}r_${name}" 2>/dev/null
        iptables -X "i${initial}r_${name}" 2>/dev/null

        ipset list "tarpit_${name}" >/dev/null 2>&1 && ipset destroy 
"tarpit_${name}"

        ipset create "tarpit_${name}" bitmap:port range 0-65535

        config_get ports "$cfg" "dest_port"

        local port IFS=', '
        for port in $ports; do
                ipset add "tarpit_${name}" "${port}" \
                    || echo "Couldn't add ${port} to tarpit_${name}" >&2
        done

        iptables -N "i${initial}r_${name}"
        iptables -A "i${initial}r_${name}" -m limit --limit 1/sec --limit-burst 
5 -j LOG --log-level 4 --log-prefix "TARPIT ${name}: "
        iptables -A "i${initial}r_${name}" -m tcp -p tcp -j TARPIT

        iptables -A "input_${src}_rule" -m set --match-set "tarpit_${name}" dst 
-m tcp -p tcp -j "i${initial}r_${name}"

        return 0
}

. /lib/functions/network.sh

config_load firewall

config_foreach tarpit_add tarpit "$@“



_______________________________________________
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel

Reply via email to