LinuxQuestions.org
Visit the LQ Articles and Editorials section
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 11-07-2003, 01:59 AM   #1
kahpeetan
LQ Newbie
 
Registered: Nov 2003
Distribution: redhat
Posts: 17

Rep: Reputation: 0
iptables string match


i have a linux box which i use as a gateway/router firewall for other PC's on my LAN. I tried setting the following iptable rule

iptables -A FORWARD -p tcp --dport 80 -m string --string "cmd.exe" -j REJECT --reject-with tcp-reset

then using a puter on my LAN I google cmd.exe and opened a site ...page loaded in my browser...shoot no luck!!

so again..

iptables -A INPUT -p tcp --dport 80 -m string --string "cmd.exe" -j DROP

again page loaded successfully

so..

iptables -I INPUT 1 -m string --string "cmd.exe" -j DROP (this had got to work!!!)

whoopee worked like a charm

anyone know why the first 2 rules didnt work???

oh and btw ....-m string --string "KazaaClient" doesnt work...dammit....anyone used p2pwall before??
 
Old 11-08-2003, 04:20 PM   #2
/bin/bash
Senior Member
 
Registered: Jul 2003
Location: Indiana
Distribution: Mandrake Slackware-current QNX4.25
Posts: 1,802

Rep: Reputation: 46
It would depend on the other rules. For instance if you have a rule that allows ESTABLISHED, RELATED (which is very common) and it is before the string match and it is set to ACCEPT then the packet would probably not hit the string rule. Because the google search was initiated by you so it became an ESTABLISHED connection and the page was loaded.

Thats my guess.

I've never used Kazaa.
 
Old 11-09-2003, 02:16 AM   #3
Mrcdm
Member
 
Registered: Apr 2003
Location: Australia
Distribution: Debian 3, 31r0, 4, slackware, DSL, RH8.0/7, MDK9/10, et al. Vista is cute but not Linux - I tried
Posts: 70

Rep: Reputation: 15
You had the destination port in the rule for the INPUT not the source. As the data is coming from the other ends port 80 it is actually a source. If it where being requested from your computer then it would be a destination.

Got the convolluted picture?
 
Old 11-09-2003, 06:36 PM   #4
kahpeetan
LQ Newbie
 
Registered: Nov 2003
Distribution: redhat
Posts: 17

Original Poster
Rep: Reputation: 0
only rule i have preceeding this is to DROP all connections (to make this a mostly closed rule) and to log all SYN, FIN, ACK, RST and NULL packets before dropping

will try to change --dport to --sport and see if it works
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
iptables: No chain/target/match by that name schatoor Linux - Networking 6 01-04-2009 09:10 PM
Regular expression to match a valid URL string vharishankar Programming 13 07-21-2005 09:17 PM
Iptables mac-match VS. transparent proxy mchanea Linux - Security 4 12-22-2004 06:42 AM
iptables POSTROUTING doesn't match local-process replies. bentz Linux - Networking 3 03-10-2004 06:34 PM
how to grep only one string pr match gummimann Linux - General 3 11-06-2003 09:40 AM


All times are GMT -5. The time now is 07:23 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration