Xtables-addons is a is a project developped by Jan Engelhardt to replace the old patch-o-matic repository for the Linux kernel and iptables. Instead of patching the kernel source, extensions are built as modules and thus allow extending kernels without recompilation.

I have created a Debian package, split in two parts: xtables-addons-source (the sources of the kernel modules), and xtables-addons-common (common files: shared libraries, man pages, binaries).

To install xtables-addons on Debian (sid only, but the package works on Lenny after a rebuild), run the following commands:

apt-get install module-assistant xtables-addons-source
module-assistant prepare
module-assistant auto-install xtables-addons-source

It will automatically install the headers for your kernel, build the modules, create a local package, and install it. What’s interesting is that, unlike before (using p-o-m or kernel patches), there is no need to reboot.

It adds new targets for iptables:

  • CHAOS: randomly use REJECT, DELUDE or TARPIT targets. This will fool network scanners by returning random results
  • DELUDE: always reply to a SYN by a SYN-ACK. This will fool TCP half-open discovery
  • DHCPADDR: replace a MAC address from and to a VMware host
  • IPMARK: mark a packet, based on its IP address
  • LOGMARK: log packet and mark to syslog
  • SYSRQ: trigger a sysreq over the network (sending a saK over the network looks like a real funny idea ;)
  • TARPIT: try to slow down (or DoS) remote host by capturing the session and holding it for a long time, using a 0-bytes TCP window. Run that on port 25 if you have no mail server to slow down spammers ;)

There’s also a list of new matches modules for iptables:

  • condition: match on boolean value stored in /proc/net/nf_condition/name
  • dhcpaddr: match the DHCP Client Host address in a DHCP message
  • fuzzy: match a rate limit based on a fuzzy logic controller
  • geoip: match a packet by its source or destination country
  • ipp2p: match (certain) p2p protocols
  • portscan: try to match port scanners based on packet contents
  • quota2: named counters

It also provides a version of ipset, a framework to manager sets of IP addresses in iptables rules efficiently.