You know, there is a newer XT Tarpit. I've been using it awhile now. There's an ipset patch too, but you didn't ask. Here's the ones I used from the 2.6.22.6 I put together last night. Vanilla kernel and iptables snapshot, I started with. Make sure ip_TARPIT is cleared out of your config, and <M> (module) the XT_TARPIT option:

CONFIG_NETFILTER_XT_TARGET_TARPIT=m
# CONFIG_IP_NF_TARGET_TARPIT is not set



tftp://atr2.ath.cx/tarpit-xt.zip

(Note tftp, not ftp- I find people stumbling around ftp directories looking for files that aren't there sometimes, but possibly that's an MSIE bug^H^H^Hfeature...)

See the zip comment for a few, umm... comments


Update: in.tftp evidently has its own idea of how hosts_access should be looked up when the service doesn't appear in either allow or deny, so if the link doesn't work, switch protocol to https and use the same path. Sorry 'bout that.

Just for confirmation, x_tables is the new netfilter framework designed to unify the backend for {ip,ip6,arp}_tables, correct?

Do you know if/whether xt_TARPIT coming into POM-ng or mainline kernel anytime soon? This thread suggests it is ready, but may not make it until after 2.6.24.

Update on this. I finally got the module compiled using the fixes in this thread but could not get the module loaded no matter what. Just said module didnt exist.

So the other night in irc someone found this site
http://enterprise.bidmc.harvard.edu/pub/tarpit-updates/

Didnt compile, tried on 2.6.19.2-grsec and 2.6.22.9-grsec (testing patch) similar errors as the old one.

2.6.22.9-grsec errors - http://pastebin.ca/720168
2.6.19.2-grsec errors - http://pastebin.ca/720174

Doesnt look like the tarpit module is gonna work out with any newer kernel. If someone has got this to work with at least a 2.6.19 kernel please elaborate how you did it.

But I think I will pretty much give up on it, will have to. Doesnt look like its gonna be maintained anymore and there is a real lack of interest in it. So probably another good idea that is gonna fade away

What was the exact message? Was the module in /lib/modules? Did you run “depmod” after installation? Did you try insmoding the object by hand? Was there any output in dmesg?
Both of those errors seem to be addressed in the bottom portion of post 13. Basically, the fix is to remove the line that references nf_debug. Alternatively, you could compile your kernel without selecting CONFIG_NETFILTER_DEBUG. My guess is that nobody has noticed this compilation error since almost nobody builds their kernel with CONFIG_NETFILTER_DEBUG.
I actually have an almost-vanilla 2.6.21 kernel running it as we speak. It’s the vanilla patch-o-matic-ng version, and my kernel’s .config file says “# CONFIG_NETFILTER_DEBUG is not set” (you can check if this is the case on your running kernel with “zgrep CONFIG_NETFILTER_DEBUG /proc/config.gz”). I also have an older version of tarpit running on 2.6.16-grsec on which I made a few minor changes, the details of which escape me after so long. In both cases, the modules seem to work as intended.
You don’t have to give up on it. In any case, it seems that this module is being supplanted by its x_tables-compatible counterpart, as mentioned here. Hopefully, it will be in the kernel within a few releases.

Thank you very much!
unchecking the netfilter debig option fixed it, now am able to load and use the module just fine.
Thanks for all your help

I'm having trouble compiling the xt_tarpit module as well.

kernel is a vanilla 2.6.22.10 kernel from kernel.org, I first tried applying the patch offered on page one of this thread, and wound up with the compile failing:

ERROR: "secure_tcp_sequence_number" [net/netfilter/xt_TARPIT.ko] undefined!

so I tried the patch-o-matic patch for 2.6.22 as well, and it comes up with a similar error:

ERROR: "secure_tcp_sequence_number" [net/ipv4/netfilter/ipt_TARPIT.ko] undefined!

google found reference to this:
http://archives.free.net.ph/message/...8f567d.en.html

which deals with secure_tcp_sequence_number not being exported from drivers/char/random.c ... I looked in random.c and found this:

#ifdef CONFIG_INET
EXPORT_SYMBOL(secure_tcp_sequence_number);
#endif

which indicates to me that it is exported, right?

any thoughts?

It indicates the symbol is exported if and only if CONFIG_INET is defined. Are you trying to compile for a kernel configured without a network stack (or perhaps it is IPv6 only)? In any case, check the output of
where .config is the config file for the target kernel.

turns out that secure_tcp export was added by the xt_tarpit patch ... so I did a make clean on the kernel source, then a make to rebuild everything (ditto on the iptables source, just to be safe). after rebooting with the new kernel, the module loads just fine.

Still working on 2.6.23.1, with fuzzy matchup. I should do a cleaned up diff. More stuff seems to be moving to the XT format with the 2.6.23 series. I think patch-o-matic is of little or no use with these kernels; wish they'd update it.

I tried to compile iptables 1.4.0 TARPIT with 2.26.23 vanilla using the following patches:

http:
enterprise.bidmc.harvard.edu/pub/tarpit-updates/

Unfortunately, there is error when compiling it. It has something to do with the following lines of code:

net/netfilter/xt_TARPIT.c: In function ‘tarpit_tcp’:
net/netfilter/xt_TARPIT.c:114: error: implicit declaration of function ‘nf_conntrack_put’
net/netfilter/xt_TARPIT.c:114: error: ‘struct sk_buff’ has no member named ‘nfct’
net/netfilter/xt_TARPIT.c:115: error: ‘struct sk_buff’ has no member named ‘nfct’
make[2]: *** [net/netfilter/xt_TARPIT.o] Error 1
make[1]: *** [net/netfilter] Error 2


Could someone point me to a patch that could fix the problem? Sorry for the broken URL because I am a newbie. This is my first post and I cannot post URL.

Thanks in advance!

Hung

make sure you deselect the netfilter debugging in kernel config. I recently got the new updates from that hardvard site and they have worked flawlessly with the latest kernels.

Here is a config for the 2.6.24.3 kernel with grsecurity and tarpit, works like a charm