I have devellopped a module for Netfilter which provides the following :
- a new TARGET (BLACKLIST).
When a packet passes through it, it's source IP is added to a list.
- a new MATCH (blacklist)
When a packet's source IP is found in the list, it is matched.
Well, quite easy, isn't it ?
(her... please, don't say 'yes' yet :) )
*****************************************
* (obviously-too-small) documentation : *
*****************************************
Options to the TARGET:
--list-name : name of the list, because it's possible to have many
lists. (for different purpose)
--min-packet : Minimum amount of packet to receive from that IP to
get it as MATCHable.
--min-ports : Minimum number of different proto/service to receive
[note: both options are active, if "min-ports" different proto/services
are received, (non-X) OR if "min-packet" are received, the packet will
match]
--entry-ttl : (for whole list) Delay (compared to last received
packet) an MATCHing entry is kept in the list.
--keep-entry : (for whole list) Delat (compared...) a
not-yet-MATCHing entry (aka. IP) is kept in the list)
Remark: the TARGET neither ACCEPT nor DROP the packet, it counts it then
return to the chain. (up to you to do what you want with it...)
Options to the MATCH:
--list-name : name of the list.
Remark: when a packet is matching, the counter in the list is
incremented... so if it is send afterward to the TARGET, it will be
counted twice, which has no negative effect on the behaviour.
Procfs entry:
/proc/net/ip_blacklist: there you'll see the list of all the IP that
are MATCHing.
(many more stuff should be there...)
***********************
* License, Futur, ... *
***********************
This code is provided only for test purpose. You are not allowed to
keep it. The next release will be GPL, but this one is not. My goal is :
I consider that providing a doc is mandatory, but takes time. So,
before starting it, I ensure it won't be a waste. That's why I provide
this, to have feedback. If the code were to be 'accepted' (ie: merged to
Netfilter), I will provide a documentation, and a ready-to-patch version
of this code.
*********
* Misc. *
*********
Compilations problems... (sure, there will be...)
The Makefile provided should work with a simple 'make'...
The module has been successfully built against 2.4.18.
The iptables modules were built against v1.2.6a.
During the dev, I had problem with iptable's "iptable.h" which was not
found, so you might need to add a "-I(...)" to the "INCLUDE=" line
pointing to the include dir of the sources of iptables. (but I believe
this is not a real problem, just me who missed a point on my side...)
The code shall be bug-free. But if real bug-free code did really exist,
life would be wonderful...
Hope you'll get something from all this :)
Best regards,
Chris.
--
/"\
\ / ASCII Ribbon Campaign
x Say NO to HTML in email and news
/ \
blacklist-0.0.0.tar.gz
Description: GNU Zip compressed data
