[OpenWrt-Devel] Tarpit support in firewall

Philip Prindeville philipp_subx at redfish-solutions.com
Thu Sep 27 18:29:27 EDT 2018 

Jo-Philipp, Felix, et al:

I’ve added the following to my /etc/firewall.user but I was thinking it might be useful for others, and worth integrating into the firewall.

It’s currently implemented in Shell, but should be trivial in C.

The relevant config (/etc/config/firewall) looks like:

config tarpit
	option name 'misc'
	option src wan
	option dest_port '22,23,113,119,123,161,220,222,389,397,515,623,873,1433,1720,1723,1812,2323,2375-2376,3128,3306,3388-3398,5000-5001,5038,5060,5351,5353,5358,5431,5555,5900-5959,6000-6063,6379,7000-7009,7547,9000,9200,10250,11211'

config tarpit
	option name 'mail'
	option src wan
	option dest_port '110,143,465,995'

config tarpit
	option name 'web'
	option src wan
	option dest_port '81-94,1080,8000-8001,8080-8088,8181,8888'

config tarpit
	option name 'netbios'
	option src wan
	option dest_port '137-139’

The scripting looks like:

…

tarpit_add() {
	local cfg="$1"
	local name src ports

	config_get name "$cfg" name
	[ -n "$name" ] || return 0
	config_get src "$cfg" "src"
	[ -n "$src" ] || return 0

	local initial="${src:0:1}"

	iptables -D "input_${src}_rule" -m set --match-set "tarpit_${name}" dst -j "i${initial}r_${name}" 2>/dev/null
	iptables -F "i${initial}r_${name}" 2>/dev/null
	iptables -X "i${initial}r_${name}" 2>/dev/null

	ipset list "tarpit_${name}" >/dev/null 2>&1 && ipset destroy "tarpit_${name}"

	ipset create "tarpit_${name}" bitmap:port range 0-65535

	config_get ports "$cfg" "dest_port"

	local port IFS=', '
	for port in $ports; do
		ipset add "tarpit_${name}" "${port}" \
		    || echo "Couldn't add ${port} to tarpit_${name}" >&2
	done

	iptables -N "i${initial}r_${name}"
	iptables -A "i${initial}r_${name}" -m limit --limit 1/sec --limit-burst 5 -j LOG --log-level 4 --log-prefix "TARPIT ${name}: "
	iptables -A "i${initial}r_${name}" -m tcp -p tcp -j TARPIT

	iptables -A "input_${src}_rule" -m set --match-set "tarpit_${name}" dst -m tcp -p tcp -j "i${initial}r_${name}"

	return 0
}

. /lib/functions/network.sh

config_load firewall

config_foreach tarpit_add tarpit "$@“



_______________________________________________
openwrt-devel mailing list
openwrt-devel at lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel

More information about the openwrt-devel mailing list