netfilter/iptables - Patch-o-Matic Listing - extra

Adds a TARPIT target to iptables, which captures and holds incoming TCP
connections using no local per-connection resources.  Connections are
accepted, but immediately switched to the persist state (0 byte window), in
which the remote side stops sending data and asks to continue every 60-240
seconds.  Attempts to close the connection are ignored, forcing the remote
side to time out the connection in 12-24 minutes.

This offers similar functionality to LaBrea
<http://www.hackbusters.net/LaBrea/> but doesn't require dedicated hardware
or IPs.  Any TCP port that you would normally DROP or REJECT can instead
become a tarpit.

To tarpit connections to TCP port 80 destined for the current machine:

  iptables -A INPUT -p tcp -m tcp --dport 80 -j TARPIT

To significantly slow down Code Red/Nimda-style scans of unused address
space, forward unused ip addresses to a Linux box not acting as a router
(e.g. "ip route 10.0.0.0 255.0.0.0 ip.of.linux.box" on a Cisco), enable IP
forwarding on the Linux box, and add:

  iptables -A FORWARD -p tcp -j TARPIT
  iptables -A FORWARD -j DROP

You probably don't want the conntrack module loaded while you are using
TARPIT, or you will be using resources per connection.

The patch introduces an optimization in the per bucket locking
for the conntrack-only (i.e. no NAT at all) case.

The patch depends on the conntrack_locking.patch.

This adds CONFIG_IP_NF_EGG:
Connection tracking for eggdrop bot networks.
It now also supports eggdrop v1.6.x

This adds netfilter hooks to layer 2 packet processing.

This adds CONFIG_IP_NF_MMS: support for Microsoft Streaming Media 
Services. This allows client (Windows Media Player) and server
to negotiate protocol (UDP, TCP) and port for the media stream.

A partially reverse engineered protocol analysis is available 
from http://get.to/sdp, together with a link to a Linux client.

By default, the helper module tracks TCP traffic over port 1755
and adds the necessary UPD or TCP expectation. It is recommended 
to also open UDP port 1755 to the server, as this port is used 
for retransmission requests.

This helper has been tested in SNAT and DNAT setups.

Note that this helper has *nothing* to do with ip_masq_mms for 
2.2 kernels!

This adds CONFIG_IP_NF_QUAKE3: a Quake III Arena support module for
netfilter connection tracking/NAT. 

Quake III Arena Internet multiplayer works by querying an Internet
master server on UDP port 27950 for specific Quake III servers. The
master server responds with the IP addresses and UDP ports of
registered game servers. Those UDP ports can be randomly chosen
(although 27960 is often used).

This connection tracking module will listen for UDP replies
from a master server, and will add the necessary expectations
for connections from client to game servers.

This adds the CONFIG_IP_NF_RSH option, which is the RSH connection
tracker.

An RSH connection tracker is required if the dynamic stderr "Server
to Client" connection is to occur during a normal RSH session.  This
typically operates as follows;

    Client 0:1023 --> Server 514    (stream 1 - stdin/stdout)
    Client 0:1023 <-- Server 0:1023 (stream 2 - stderr)

This connection tracker will identify new RSH sessions, extract the
outbound session details, and notify netfilter of pending "related"
sessions.


Usage:

The intended usage of this modules would be with a ruleset such as;

    # New session from client to server (stream 1)
    -A PREROUTING -t nat -m state -i eth0 -p tcp -s ${client}
           --sport 0:1023 -d ${server} --dport 514 --state 
           NEW,ESTABLISHED -j ACCEPT

    # Continued session from server to client (stream 1)
    -A PREROUTING -t nat -m state -i eth1 -p tcp -s ${server}
           --sport 514 -d ${client} --dport 0:1023 ! --syn
           --state ESTABLISHED -j ACCEPT

    # New session from server to client (stream 2)
    -A PREROUTING -t nat -m state -i eth1 -p tcp -s ${server}
           --sport 0:1023 -d ${client} --dport 0:1023 --state
           RELATED,ESTABLISHED -j ACCEPT

    # Continued session from client to server (stream 2)
    -A PREROUTING -t nat -m state -i eth0 -p tcp -s ${client}
           --sport 0:1023 -d ${server} --dport 0:1023 ! --syn
           --state ESTABLISHED -j ACCEPT

The RSH module also supports Legato NetWorker backup.
Legato NetWorker is based on both Sun RPC and REXEC (see RPC module).

Warning:

  This module could be dangerous. It is not "best practice" to use
RSH, use SSH in all instances.  (rfc1244, rfc1948, rfc2179, etc
ad-nauseum)

This patch adds CONFIG_IP_NF_RTSP: support for the RTSP protocol.

This allows UDP transports to be setup properly, including RTP and RDT.

This adds CONFIG_IP_NF_TALK: talk support module for netfilter
connection tracking and NAT.  This allows both the callee client -
caller server and callee client - caller client connections to work
through connection tracking and NAT.

Default both talk (UDP port 517) and ntalk/ntalk2 (UDP port 518) are
supported. talk/ntalk/ntalk2 supports can selectively be enabled/disabled 
by the module parameters of the ip_conntrack_talk and ip_nat_talk
modules:

	talk=0|1
        ntalk=0|1
        ntalk2=0|1

where '0' means 'don't support' while '1' means 'do support'
the given protocol flavour.