LinuxQuestions.org
Did you know LQ has a Linux Hardware Compatibility List?
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices



Reply
 
Search this Thread
Old 06-07-2005, 11:00 PM   #1
abefroman
Senior Member
 
Registered: Feb 2004
Location: lost+found
Distribution: CentOS
Posts: 1,278

Rep: Reputation: 53
Is it possible to block text strings with IP tables?


If I want to block all tcp packets which contain the string "hotmail.com" can I do that with IP tables?

Will something like this work?
iptables -I INPUT -j DROP -p tcp -m string --string "hotmail.com" -i eth0 -j
 
Old 06-07-2005, 11:24 PM   #2
Matir
Moderator
 
Registered: Nov 2004
Location: San Jose, CA
Distribution: Ubuntu
Posts: 8,507

Rep: Reputation: 118Reputation: 118
No, you cannot, plain and simple.
 
Old 06-08-2005, 08:40 AM   #3
abefroman
Senior Member
 
Registered: Feb 2004
Location: lost+found
Distribution: CentOS
Posts: 1,278

Original Poster
Rep: Reputation: 53
It appears this firewall blocks strings with iptables:
http://www.infosecwriters.com/text_r...et/rc.firewall

How are they able to do it?
 
Old 06-08-2005, 10:38 AM   #4
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 57
http://www.netfilter.org/patch-o-mat...m-extra-string

There's actually a comment in the firewall that describes it: " DDoS_Prevent is experimental and requires "CONFIG_IP_NF_MATCH_STRING" as a module in your kernel. For more info check http://www.securityfocus.com/infocus/1531 "

The link describes the string match and POM in more detail.
 
Old 06-08-2005, 12:32 PM   #5
Matir
Moderator
 
Registered: Nov 2004
Location: San Jose, CA
Distribution: Ubuntu
Posts: 8,507

Rep: Reputation: 118Reputation: 118
Oops, I stand corrected. I was not aware of the experimental module. I would like to point out that if the contents of a page gets split over multiple packets, that could interfere with this matching.
 
Old 06-19-2005, 01:39 PM   #6
abefroman
Senior Member
 
Registered: Feb 2004
Location: lost+found
Distribution: CentOS
Posts: 1,278

Original Poster
Rep: Reputation: 53
I have installed iptables version 1.31 and the latest kernel, but I do not see this option:
CONFIG_IP_NF_MATCH_STRING

bubba:/usr/src/linux # cat .config | grep MATCH_STRING
bubba:/usr/src/linux # cat .config | grep STRING
CONFIG_IPMI_PANIC_STRING=y

How do I get that option to apprear in my kernel?
 
Old 06-19-2005, 01:51 PM   #7
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
by applying the string match patch maybe??
 
Old 06-19-2005, 01:57 PM   #8
abefroman
Senior Member
 
Registered: Feb 2004
Location: lost+found
Distribution: CentOS
Posts: 1,278

Original Poster
Rep: Reputation: 53
I installed patch-o-matic, it didnt seem to install the string match patch though, do you know where I get the string match patch ?

676 cd patch-o-matic-ng-20050618/
677 ls
678 less README
679 cat README
680 KERNEL_DIR=/usr/src/linux IPTABLES_DIR=/usr/src/iptables-1.3.1 ./runme pending
 
Old 06-19-2005, 02:04 PM   #9
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
AFAIK you wanna do a "./runme extra" and NOT a "./runme pending"...
 
Old 06-19-2005, 02:12 PM   #10
abefroman
Senior Member
 
Registered: Feb 2004
Location: lost+found
Distribution: CentOS
Posts: 1,278

Original Poster
Rep: Reputation: 53
I tried extra, it doesnt prompt me for the string package. Got any tips?

It goes:
...........

Testing rtsp-conntrack... not applied
The rtsp-conntrack patch:

Testing sip-conntrack-nat... not applied
The sip-conntrack-nat patch:

Testing talk-conntrack-nat... not applied
The talk-conntrack-nat patch:

.........

According to this page:
http://www.netfilter.org/patch-o-matic/pom-extra.html
the CONFIG_IP_NF_MATCH_STRING should come inbetween rtsp-conntrack patch and talk-conntrack-nat patch but its not sip-conntrack-nat patch

Does anyone else get this?

Last edited by abefroman; 06-19-2005 at 02:39 PM.
 
Old 06-19-2005, 07:34 PM   #11
RandomLinuxNewb
Member
 
Registered: Oct 2003
Distribution: Slackware
Posts: 101

Rep: Reputation: 15
You could always setup a dns server on your network and then setup a zone for hotmail.com that points back to localhost or .
 
Old 06-19-2005, 08:16 PM   #12
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
wait, you are doing this string match thing just to block hotmail??
 
Old 06-19-2005, 10:26 PM   #13
abefroman
Senior Member
 
Registered: Feb 2004
Location: lost+found
Distribution: CentOS
Posts: 1,278

Original Poster
Rep: Reputation: 53
And other things.
 
Old 06-20-2005, 06:48 AM   #14
scuzzman
Senior Member
 
Registered: May 2004
Location: Hilliard, Ohio, USA
Distribution: Slackware, Kubuntu
Posts: 1,851

Rep: Reputation: 47
In the servers /etc/hosts file, just point hotmail.com (and any other domains) to 127.0.0.1
 
Old 06-20-2005, 12:04 PM   #15
jonlake
Member
 
Registered: Apr 2004
Distribution: Slackware 11.0, Gentoo
Posts: 252

Rep: Reputation: 31
Why don't you just block the IP address of www.hotmail.com
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
how to find duplicate strings in vertical column of strings markhod Programming 7 11-02-2005 05:04 AM
IPTables and PPTPD :S (to block or not to block) thewonka Linux - Networking 0 03-24-2005 07:58 PM
Using c++ to write to a text file. Im having problem with strings swatward Programming 4 02-03-2005 10:17 PM
Setting ip tables to block all traffic LinuxBAH Linux - Security 1 02-07-2004 07:15 AM
Wrapping text in tables Graanco Programming 1 09-27-2001 05:04 PM


All times are GMT -5. The time now is 03:45 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration