1 Index: iptables-1.4.0/extensions/.CHAOS-testx
2 ===================================================================
4 +++ iptables-1.4.0/extensions/.CHAOS-testx
8 +[ -f "$KERNEL_DIR/include/linux/netfilter/xt_CHAOS.h" ] && echo "CHAOS"
9 Index: iptables-1.4.0/extensions/libxt_CHAOS.c
10 ===================================================================
12 +++ iptables-1.4.0/extensions/libxt_CHAOS.c
15 + * CHAOS target for iptables
16 + * Copyright © CC Computer Consultants GmbH, 2006 - 2007
17 + * Contact: Jan Engelhardt <jengelh@computergmbh.de>
19 + * This program is free software; you can redistribute it and/or modify
20 + * it under the terms of the GNU General Public License; either version
21 + * 2 or 3 as published by the Free Software Foundation.
29 +#include <linux/netfilter/x_tables.h>
30 +#include <linux/netfilter/xt_CHAOS.h>
37 +static const struct option chaos_tg_opts[] = {
38 + {.name = "delude", .has_arg = false, .val = 'd'},
39 + {.name = "tarpit", .has_arg = false, .val = 't'},
43 +static void chaos_tg_help(void)
46 + "CHAOS target v%s options:\n"
47 + " --delude Enable DELUDE processing for TCP\n"
48 + " --tarpit Enable TARPIT processing for TCP\n",
53 +static int chaos_tg_parse(int c, char **argv, int invert, unsigned int *flags,
54 + const void *entry, struct xt_entry_target **target)
56 + struct xt_chaos_target_info *info = (void *)((*target)->data);
59 + info->variant = XTCHAOS_DELUDE;
63 + info->variant = XTCHAOS_TARPIT;
70 +static void chaos_tg_check(unsigned int flags)
72 + if ((flags & (F_DELUDE | F_TARPIT)) == (F_DELUDE | F_TARPIT))
73 + /* If flags == 0x03, both were specified, which should not be. */
74 + exit_error(PARAMETER_PROBLEM,
75 + "CHAOS: only one of --tarpit or --delude "
76 + "may be specified");
80 +static void chaos_tg_print(const void *ip,
81 + const struct xt_entry_target *target, int numeric)
83 + const struct xt_chaos_target_info *info = (const void *)target->data;
84 + switch (info->variant) {
85 + case XTCHAOS_DELUDE:
88 + case XTCHAOS_TARPIT:
95 +static void chaos_tg_save(const void *ip, const struct xt_entry_target *target)
97 + const struct xt_chaos_target_info *info = (const void *)target->data;
98 + switch (info->variant) {
99 + case XTCHAOS_DELUDE:
100 + printf("--delude ");
102 + case XTCHAOS_TARPIT:
103 + printf("--tarpit ");
109 +static struct xtables_target chaos_tg_reg = {
110 + .version = XTABLES_VERSION,
113 + .size = XT_ALIGN(sizeof(struct xt_chaos_target_info)),
114 + .userspacesize = XT_ALIGN(sizeof(struct xt_chaos_target_info)),
115 + .help = chaos_tg_help,
116 + .parse = chaos_tg_parse,
117 + .final_check = chaos_tg_check,
118 + .print = chaos_tg_print,
119 + .save = chaos_tg_save,
120 + .extra_opts = chaos_tg_opts,
125 + xtables_register_target(&chaos_tg_reg);
128 Index: iptables-1.4.0/extensions/libxt_CHAOS.man
129 ===================================================================
131 +++ iptables-1.4.0/extensions/libxt_CHAOS.man
133 +Causes confusion on the other end by doing odd things with incoming packets.
134 +CHAOS will randomly reply (or not) with one of its configurable subtargets:
137 +Use the REJECT and DELUDE targets as a base to do a sudden or deferred
138 +connection reset, fooling some network scanners to return non-deterministic
139 +(randomly open/closed) results, and in case it is deemed open, it is actually
143 +Use the REJECT and TARPIT target as a base to hold the connection until it
144 +times out. This consumes conntrack entries when connection tracking is loaded
145 +(which usually is on most machines), and routers inbetween you and the Internet
146 +may fail to do their connection tracking if they have to handle more
147 +connections than they can.
149 +The randomness factor of not replying vs. replying can be set during load-time
150 +of the xt_CHAOS module or during runtime in /sys/modules/xt_CHAOS/parameters.
151 Index: iptables-1.4.0/extensions/.DELUDE-testx
152 ===================================================================
154 +++ iptables-1.4.0/extensions/.DELUDE-testx
158 +[ -f "$KERNEL_DIR/net/netfilter/xt_DELUDE.c" ] && echo "DELUDE"
159 Index: iptables-1.4.0/extensions/libxt_DELUDE.c
160 ===================================================================
162 +++ iptables-1.4.0/extensions/libxt_DELUDE.c
165 + * DELUDE target for iptables
166 + * Copyright © CC Computer Consultants GmbH, 2006 - 2007
167 + * Contact: Jan Engelhardt <jengelh@computergmbh.de>
169 + * This program is free software; you can redistribute it and/or modify
170 + * it under the terms of the GNU General Public License; either version
171 + * 2 or 3 as published by the Free Software Foundation.
177 +#include <xtables.h>
178 +#include <linux/netfilter/x_tables.h>
180 +static void delude_tg_help(void)
182 + printf("DELUDE takes no options\n");
186 +static int delude_tg_parse(int c, char **argv, int invert, unsigned int *flags,
187 + const void *entry, struct xt_entry_target **target)
192 +static void delude_tg_check(unsigned int flags)
197 +static struct xtables_target delude_tg_reg = {
198 + .version = XTABLES_VERSION,
201 + .size = XT_ALIGN(0),
202 + .userspacesize = XT_ALIGN(0),
203 + .help = delude_tg_help,
204 + .parse = delude_tg_parse,
205 + .final_check = delude_tg_check,
210 + xtables_register_target(&delude_tg_reg);
213 Index: iptables-1.4.0/extensions/libxt_DELUDE.man
214 ===================================================================
216 +++ iptables-1.4.0/extensions/libxt_DELUDE.man
218 +The DELUDE target will reply to a SYN packet with SYN-ACK, and to all other
219 +packets with an RST. This will terminate the connection much like REJECT, but
220 +network scanners doing TCP half-open discovery can be spoofed to make them
221 +belive the port is open rather than closed/filtered.
222 Index: iptables-1.4.0/extensions/.portscan-testx
223 ===================================================================
225 +++ iptables-1.4.0/extensions/.portscan-testx
229 +[ -f "$KERNEL_DIR/include/linux/netfilter/xt_portscan.h" ] && echo "portscan"
230 Index: iptables-1.4.0/extensions/libxt_portscan.c
231 ===================================================================
233 +++ iptables-1.4.0/extensions/libxt_portscan.c
236 + * portscan match for iptables
237 + * Copyright © CC Computer Consultants GmbH, 2006 - 2007
238 + * Contact: Jan Engelhardt <jengelh@computergmbh.de>
240 + * This program is free software; you can redistribute it and/or modify
241 + * it under the terms of the GNU General Public License; either version
242 + * 2 or 3 as published by the Free Software Foundation.
244 +#include <stdbool.h>
250 +#include <xtables.h>
251 +#include <iptables.h>
252 +#include <linux/netfilter/x_tables.h>
253 +#include <linux/netfilter/xt_portscan.h>
255 +static const struct option portscan_mt_opts[] = {
256 + {.name = "stealth", .has_arg = false, .val = 'x'},
257 + {.name = "synscan", .has_arg = false, .val = 's'},
258 + {.name = "cnscan", .has_arg = false, .val = 'c'},
259 + {.name = "grscan", .has_arg = false, .val = 'g'},
263 +static void portscan_mt_help(void)
266 + "portscan match v%s options:\n"
267 + "(Combining them will make them match by OR-logic)\n"
268 + " --stealth Match TCP Stealth packets\n"
269 + " --synscan Match TCP SYN scans\n"
270 + " --cnscan Match TCP Connect scans\n"
271 + " --grscan Match Banner Grabbing scans\n",
276 +static int portscan_mt_parse(int c, char **argv, int invert,
277 + unsigned int *flags, const void *entry, struct xt_entry_match **match)
279 + struct xt_portscan_match_info *info = (void *)((*match)->data);
283 + info->match_cn = true;
286 + info->match_gr = true;
289 + info->match_syn = true;
292 + info->match_stealth = true;
298 +static void portscan_mt_check(unsigned int flags)
303 +static void portscan_mt_print(const void *ip,
304 + const struct xt_entry_match *match, int numeric)
306 + const struct xt_portscan_match_info *info = (const void *)(match->data);
307 + const char *s = "";
309 + printf("portscan ");
310 + if (info->match_stealth) {
314 + if (info->match_syn) {
315 + printf("%sSYNSCAN", s);
318 + if (info->match_cn) {
319 + printf("%sCNSCAN", s);
322 + if (info->match_gr)
323 + printf("%sGRSCAN", s);
328 +static void portscan_mt_save(const void *ip, const struct xt_entry_match *match)
330 + const struct xt_portscan_match_info *info = (const void *)(match->data);
332 + if (info->match_stealth)
333 + printf("--stealth ");
334 + if (info->match_syn)
335 + printf("--synscan ");
336 + if (info->match_cn)
337 + printf("--cnscan ");
338 + if (info->match_gr)
339 + printf("--grscan ");
343 +static struct xtables_match portscan_mt_reg = {
344 + .version = XTABLES_VERSION,
345 + .name = "portscan",
347 + .size = XT_ALIGN(sizeof(struct xt_portscan_match_info)),
348 + .userspacesize = XT_ALIGN(sizeof(struct xt_portscan_match_info)),
349 + .help = portscan_mt_help,
350 + .parse = portscan_mt_parse,
351 + .final_check = portscan_mt_check,
352 + .print = portscan_mt_print,
353 + .save = portscan_mt_save,
354 + .extra_opts = portscan_mt_opts,
359 + xtables_register_match(&portscan_mt_reg);
362 Index: iptables-1.4.0/extensions/libxt_portscan.man
363 ===================================================================
365 +++ iptables-1.4.0/extensions/libxt_portscan.man
367 +Detects simple port scan attemps based upon the packet's contents. (This is
368 +different from other implementations, which also try to match the rate of new
369 +connections.) Note that an attempt is only discovered after it has been carried
370 +out, but this information can be used in conjunction with other rules to block
371 +the remote host's future connections. So this match module will match on the
372 +(probably) last packet the remote side will send to your machine.
375 +Match if the packet did not belong to any known TCP connection
376 +(Stealth/FIN/XMAS/NULL scan).
379 +Match if the connection was a TCP half-open discovery (SYN scan), i.e. the
380 +connection was torn down after the 2nd packet in the 3-way handshake.
383 +Match if the connection was a TCP full open discovery (connect scan), i.e. the
384 +connection was torn down after completion of the 3-way handshake.
387 +Match if data in the connection only flew in the direction of the remote side,
388 +e.g. if the connection was terminated after a locally running daemon sent its
389 +identification. (e.g. openssh)
391 +NOTE: Some clients (Windows XP for example) may do what looks like a SYN scan,
392 +so be advised to carefully use xt_portscan in conjunction with blocking rules,
393 +as it may lock out your very own internal network.