Differentiating port-forwarding in iptables rules
Paul D
newtwen at gmail.com
Sun Nov 10 13:53:59 PST 2024
Shooting from the hip a bit here, but how about a fwmark?
# set mark for remapped traffic
iptables -t mangle -A PREROUTING -p tcp --dport 23 -m conntrack --ctstate DNAT -j MARK --set-mark <mark>
# apply tarpit if not remapped
iptables -A INPUT -p tcp --dport 23 -m mark ! --mark <mark> -j TARPIT
On 2024-11-10 21:49, Philip Prindeville wrote:
> Hi,
>
> I’m still using firewall3 (yeah, yeah, I know).
>
> I remap certain ports, and I TARPIT them on the well-known service port, but that’s also catching the remapped destination port.
>
> For instance, let’s say I run Telnet (I don’t, but we’ll use it as an example) from 2300 to 23. I want to TARPIT traffic arriving (unmapped) on 23, but traffic remapped from 2300 to 23 I don’t want to TARPIT.
>
> How do I differentiate these in the rules? I thought the MARK might give a hint but it doesn’t.
>
> Is there another attribute I can use?
>
> Thanks,
>
> -Philip
>
>
More information about the openwrt-devel
mailing list