343 lines
9.1 KiB
Diff
343 lines
9.1 KiB
Diff
Index: iptables-1.3.8/extensions/.CHAOS-test
|
|
===================================================================
|
|
--- /dev/null 1970-01-01 00:00:00.000000000 +0000
|
|
+++ iptables-1.3.8/extensions/.CHAOS-test 2007-07-31 15:27:57.000000000 -0500
|
|
@@ -0,0 +1,2 @@
|
|
+#!/bin/sh
|
|
+[ -f "$KERNEL_DIR/include/linux/netfilter/xt_CHAOS.h" ] && echo "CHAOS";
|
|
Index: iptables-1.3.8/extensions/.DELUDE-test
|
|
===================================================================
|
|
--- /dev/null 1970-01-01 00:00:00.000000000 +0000
|
|
+++ iptables-1.3.8/extensions/.DELUDE-test 2007-07-31 15:27:57.000000000 -0500
|
|
@@ -0,0 +1,2 @@
|
|
+#!/bin/sh
|
|
+echo "DELUDE";
|
|
Index: iptables-1.3.8/extensions/libipt_CHAOS.c
|
|
===================================================================
|
|
--- /dev/null 1970-01-01 00:00:00.000000000 +0000
|
|
+++ iptables-1.3.8/extensions/libipt_CHAOS.c 2007-07-31 15:27:57.000000000 -0500
|
|
@@ -0,0 +1,111 @@
|
|
+/*
|
|
+ CHAOS target for iptables
|
|
+
|
|
+ Copyright © Jan Engelhardt <jengelh [at] gmx de>, 2006 - 2007
|
|
+ released under the terms of the GNU General Public
|
|
+ License version 2.x and only versions 2.x.
|
|
+*/
|
|
+#include <getopt.h>
|
|
+#include <stdio.h>
|
|
+#include <string.h>
|
|
+
|
|
+#include <iptables.h>
|
|
+#include <linux/netfilter_ipv4/ip_tables.h>
|
|
+#include <linux/netfilter/xt_CHAOS.h>
|
|
+
|
|
+static void libipt_chaos_help(void)
|
|
+{
|
|
+ printf(
|
|
+ "CHAOS target v%s options:\n"
|
|
+ " --delude Enable DELUDE processing for TCP\n"
|
|
+ " --tarpit Enable TARPIT processing for TCP\n",
|
|
+ IPTABLES_VERSION);
|
|
+ return;
|
|
+}
|
|
+
|
|
+static int libipt_chaos_parse(int c, char **argv, int invert,
|
|
+ unsigned int *flags, const struct ipt_entry *entry,
|
|
+ struct ipt_entry_target **target)
|
|
+{
|
|
+ struct xt_chaos_info *info = (void *)((*target)->data);
|
|
+ switch(c) {
|
|
+ case 'd':
|
|
+ info->variant = XTCHAOS_DELUDE;
|
|
+ *flags |= 0x02;
|
|
+ return 1;
|
|
+ case 't':
|
|
+ info->variant = XTCHAOS_TARPIT;
|
|
+ *flags |= 0x01;
|
|
+ return 1;
|
|
+ }
|
|
+ return 0;
|
|
+}
|
|
+
|
|
+static void libipt_chaos_check(unsigned int flags)
|
|
+{
|
|
+ if(flags != 0x03)
|
|
+ return;
|
|
+ /* If flags == 0x03, both were specified, which should not be. */
|
|
+ exit_error(PARAMETER_PROBLEM,
|
|
+ "CHAOS: only one of --tarpit or --delude may be specified");
|
|
+ return;
|
|
+}
|
|
+
|
|
+static void libipt_chaos_print(const struct ipt_ip *ip,
|
|
+ const struct ipt_entry_target *target, int numeric)
|
|
+{
|
|
+ const struct xt_chaos_info *info = (const void *)target->data;
|
|
+ switch(info->variant) {
|
|
+ case XTCHAOS_DELUDE:
|
|
+ printf("DELUDE ");
|
|
+ break;
|
|
+ case XTCHAOS_TARPIT:
|
|
+ printf("TARPIT ");
|
|
+ break;
|
|
+ default:
|
|
+ break;
|
|
+ }
|
|
+ return;
|
|
+}
|
|
+
|
|
+static void libipt_chaos_save(const struct ipt_ip *ip,
|
|
+ const struct ipt_entry_target *target)
|
|
+{
|
|
+ const struct xt_chaos_info *info = (const void *)target->data;
|
|
+ switch(info->variant) {
|
|
+ case XTCHAOS_DELUDE:
|
|
+ printf("--delude ");
|
|
+ break;
|
|
+ case XTCHAOS_TARPIT:
|
|
+ printf("--tarpit ");
|
|
+ break;
|
|
+ default:
|
|
+ break;
|
|
+ }
|
|
+ return;
|
|
+}
|
|
+
|
|
+static struct option libipt_chaos_opts[] = {
|
|
+ {"delude", 0, NULL, 'd'},
|
|
+ {"tarpit", 0, NULL, 't'},
|
|
+ {NULL},
|
|
+};
|
|
+
|
|
+static struct iptables_target libipt_chaos_info = {
|
|
+ .name = "CHAOS",
|
|
+ .version = IPTABLES_VERSION,
|
|
+ .size = IPT_ALIGN(sizeof(struct xt_chaos_info)),
|
|
+ .userspacesize = IPT_ALIGN(sizeof(struct xt_chaos_info)),
|
|
+ .help = libipt_chaos_help,
|
|
+ .parse = libipt_chaos_parse,
|
|
+ .final_check = libipt_chaos_check,
|
|
+ .print = libipt_chaos_print,
|
|
+ .save = libipt_chaos_save,
|
|
+ .extra_opts = libipt_chaos_opts,
|
|
+};
|
|
+
|
|
+static __attribute__((constructor)) void libipt_chaos_init(void)
|
|
+{
|
|
+ register_target(&libipt_chaos_info);
|
|
+ return;
|
|
+}
|
|
Index: iptables-1.3.8/extensions/libipt_DELUDE.c
|
|
===================================================================
|
|
--- /dev/null 1970-01-01 00:00:00.000000000 +0000
|
|
+++ iptables-1.3.8/extensions/libipt_DELUDE.c 2007-07-31 15:27:57.000000000 -0500
|
|
@@ -0,0 +1,66 @@
|
|
+/*
|
|
+ DELUDE target for iptables
|
|
+
|
|
+ Copyright © Jan Engelhardt <jengelh [at] gmx de>, 2006 - 2007
|
|
+ released under the terms of the GNU General Public
|
|
+ License version 2.x and only versions 2.x.
|
|
+*/
|
|
+#include <getopt.h>
|
|
+#include <stdio.h>
|
|
+#include <string.h>
|
|
+
|
|
+#include <iptables.h>
|
|
+#include <linux/netfilter_ipv4/ip_tables.h>
|
|
+
|
|
+static void libipt_delude_help(void)
|
|
+{
|
|
+ printf("DELUDE takes no options\n");
|
|
+ return;
|
|
+}
|
|
+
|
|
+static int libipt_delude_parse(int c, char **argv, int invert,
|
|
+ unsigned int *flags, const struct ipt_entry *entry,
|
|
+ struct ipt_entry_target **target)
|
|
+{
|
|
+ return 0;
|
|
+}
|
|
+
|
|
+static void libipt_delude_check(unsigned int flags)
|
|
+{
|
|
+ return;
|
|
+}
|
|
+
|
|
+static void libipt_delude_print(const struct ipt_ip *ip,
|
|
+ const struct ipt_entry_target *target, int numeric)
|
|
+{
|
|
+ return;
|
|
+}
|
|
+
|
|
+static void libipt_delude_save(const struct ipt_ip *ip,
|
|
+ const struct ipt_entry_target *target)
|
|
+{
|
|
+ return;
|
|
+}
|
|
+
|
|
+static struct option libipt_delude_opts[] = {
|
|
+ {NULL},
|
|
+};
|
|
+
|
|
+static struct iptables_target libipt_delude_info = {
|
|
+ .name = "DELUDE",
|
|
+ .version = IPTABLES_VERSION,
|
|
+ .size = IPT_ALIGN(0),
|
|
+ .userspacesize = IPT_ALIGN(0),
|
|
+ .help = libipt_delude_help,
|
|
+ .parse = libipt_delude_parse,
|
|
+ .final_check = libipt_delude_check,
|
|
+ .print = libipt_delude_print,
|
|
+ .save = libipt_delude_save,
|
|
+ .extra_opts = libipt_delude_opts,
|
|
+};
|
|
+
|
|
+static __attribute__((constructor)) void libipt_delude_init(void)
|
|
+{
|
|
+ register_target(&libipt_delude_info);
|
|
+ return;
|
|
+}
|
|
Index: iptables-1.3.8/extensions/libipt_portscan.c
|
|
===================================================================
|
|
--- /dev/null 1970-01-01 00:00:00.000000000 +0000
|
|
+++ iptables-1.3.8/extensions/libipt_portscan.c 2007-07-31 15:27:57.000000000 -0500
|
|
@@ -0,0 +1,129 @@
|
|
+/*
|
|
+ portscan match for iptables
|
|
+
|
|
+ Copyright © Jan Engelhardt <jengelh [at] gmx de>, 2006 - 2007
|
|
+ released under the terms of the GNU General Public
|
|
+ License version 2.x and only versions 2.x.
|
|
+*/
|
|
+#include <stdio.h>
|
|
+#include <string.h>
|
|
+#include <stdlib.h>
|
|
+#include <getopt.h>
|
|
+
|
|
+#include <iptables.h>
|
|
+#include <linux/netfilter_ipv4/ip_tables.h>
|
|
+#include <linux/netfilter/xt_portscan.h>
|
|
+
|
|
+static void libipt_portscan_help(void)
|
|
+{
|
|
+ printf(
|
|
+ "portscan match v%s options:\n"
|
|
+ "(Combining them will make them match by OR-logic)\n"
|
|
+ " --stealth Match TCP Stealth packets\n"
|
|
+ " --synscan Match TCP SYN scans\n"
|
|
+ " --cnscan Match TCP Connect scans\n"
|
|
+ " --grscan Match Banner Grabbing scans\n",
|
|
+ IPTABLES_VERSION);
|
|
+ return;
|
|
+}
|
|
+
|
|
+static void libipt_portscan_mtinit(struct ipt_entry_match *match,
|
|
+ unsigned int *nfcache)
|
|
+{
|
|
+ /* Cannot cache this */
|
|
+ *nfcache |= NFC_UNKNOWN;
|
|
+ return;
|
|
+}
|
|
+
|
|
+static int libipt_portscan_parse(int c, char **argv, int invert,
|
|
+ unsigned int *flags, const struct ipt_entry *entry, unsigned int *nfc,
|
|
+ struct ipt_entry_match **match)
|
|
+{
|
|
+ struct xt_portscan_info *info = (void *)((*match)->data);
|
|
+
|
|
+ switch(c) {
|
|
+ case 'c':
|
|
+ info->match_cn = 1;
|
|
+ return 1;
|
|
+ case 'g':
|
|
+ info->match_gr = 1;
|
|
+ return 1;
|
|
+ case 's':
|
|
+ info->match_syn = 1;
|
|
+ return 1;
|
|
+ case 'x':
|
|
+ info->match_stealth = 1;
|
|
+ return 1;
|
|
+ default:
|
|
+ return 0;
|
|
+ }
|
|
+}
|
|
+
|
|
+static void libipt_portscan_check(unsigned int flags)
|
|
+{
|
|
+ return;
|
|
+}
|
|
+
|
|
+static void libipt_portscan_print(const struct ipt_ip *ip,
|
|
+ const struct ipt_entry_match *match, int numeric)
|
|
+{
|
|
+ const struct xt_portscan_info *info = (const void *)(match->data);
|
|
+ const char *s = "";
|
|
+
|
|
+ printf("portscan ");
|
|
+ if(info->match_stealth) {
|
|
+ printf("STEALTH");
|
|
+ s = ",";
|
|
+ }
|
|
+ if(info->match_syn) {
|
|
+ printf("%sSYNSCAN", s);
|
|
+ s = ",";
|
|
+ }
|
|
+ if(info->match_cn) {
|
|
+ printf("%sCNSCAN", s);
|
|
+ s = ",";
|
|
+ }
|
|
+ if(info->match_gr)
|
|
+ printf("%sGRSCAN", s);
|
|
+ printf(" ");
|
|
+ return;
|
|
+}
|
|
+
|
|
+static void libipt_portscan_save(const struct ipt_ip *ip,
|
|
+ const struct ipt_entry_match *match)
|
|
+{
|
|
+ const struct xt_portscan_info *info = (const void *)(match->data);
|
|
+ if(info->match_stealth) printf("--stealth ");
|
|
+ if(info->match_syn) printf("--synscan ");
|
|
+ if(info->match_cn) printf("--cnscan ");
|
|
+ if(info->match_gr) printf("--grscan ");
|
|
+ return;
|
|
+}
|
|
+
|
|
+static struct option libipt_portscan_opts[] = {
|
|
+ {"stealth", 0, NULL, 'x'},
|
|
+ {"synscan", 0, NULL, 's'},
|
|
+ {"cnscan", 0, NULL, 'c'},
|
|
+ {"grscan", 0, NULL, 'g'},
|
|
+ {NULL},
|
|
+};
|
|
+
|
|
+static struct iptables_match libipt_portscan_info = {
|
|
+ .name = "portscan",
|
|
+ .version = IPTABLES_VERSION,
|
|
+ .size = IPT_ALIGN(sizeof(struct xt_portscan_info)),
|
|
+ .userspacesize = IPT_ALIGN(sizeof(struct xt_portscan_info)),
|
|
+ .help = libipt_portscan_help,
|
|
+ .init = libipt_portscan_mtinit,
|
|
+ .parse = libipt_portscan_parse,
|
|
+ .final_check = libipt_portscan_check,
|
|
+ .print = libipt_portscan_print,
|
|
+ .save = libipt_portscan_save,
|
|
+ .extra_opts = libipt_portscan_opts,
|
|
+};
|
|
+
|
|
+static __attribute__((constructor)) void libipt_portscan_init(void)
|
|
+{
|
|
+ register_match(&libipt_portscan_info);
|
|
+ return;
|
|
+}
|
|
Index: iptables-1.3.8/extensions/.portscan-test
|
|
===================================================================
|
|
--- /dev/null 1970-01-01 00:00:00.000000000 +0000
|
|
+++ iptables-1.3.8/extensions/.portscan-test 2007-07-31 15:27:57.000000000 -0500
|
|
@@ -0,0 +1,2 @@
|
|
+#!/bin/sh
|
|
+[ -f "$KERNEL_DIR/include/linux/netfilter/xt_portscan.h" ] && echo "portscan";
|