iptables 1.2.7a TARPIT target problems

[elfarto]

Suppose you want to use the TARPIT target for iptables, to stop or at least slow down 31337 scoundrels DOSing your box.

You set a rule eading like:
iptables -A INPUT -p udp -s 0/0 -d $NET --dport 53 -m limit --limit 5/second -j TARPIT
and you get a nice error from iptables:
iptables v1.2.7a: Couldn't load target `TARPIT':/lib/iptables/libipt_TARPIT.so: cannot open shared object file: No such file or directory

The file obviously doens't exist and i've found no trace of it for ipt 1.2.7a (but i goolgled and i got a patch for iptables 1.2.6) so somehow the tarpit in not functional in this version of iptables, anyone can point me to a valid patch/procedure/whatever to make TARPIT functional ??

Thanks a lot

[mglauche]

I think the destinations for iptables are in the kernel. So check your kernel config if it has the TARPIT target, if its not there, its possible that u need to run the patch-o-matic from the netfilter team to bring your kenrnel modules up to date

[elfarto]

It happens that you need a later CVS version of iptables, of the shelf 1.2.7a doesn't include the user mode library ipt_TARPIT.so , you either fetch the whole package or just grab ipt_TARPIT.c and Makefile from the extensions dir on the CVS tree.

[Cheesefoam]

Tarpit, AFAIK, only works with TCP connections, not UDP.

Also, if you emerge the ~x86 portage version of iptables, it now supports tarpit targets.