Hi,

I am using ubuntu 9.0.4
Kernel version 2.6.28-16-generic.
I gave an iptables command

iptables -A INPUT -m string --hex-string "|66 61 63 65 62 6f 6f 6b|" --algo bm -j DROP

The string means facebook and

This blocks access to facebook.com
Also blocks downloading of a file containing word facebook where the file contents are

this file should not get downloaded. It has facebook.


Output of iptables -nL is following

Chain INPUT (policy ACCEPT)
target prot opt source destination
DROP all -- 0.0.0.0/0 0.0.0.0/0 STRING match "facebook" ALGO name bm TO 65535

Chain FORWARD (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination



But if I go to google.com and search for facebook it returns me the results and is not blocking the contents having keyword "facebook" - where the string starts with small f.

Why is the firewall not blocking the contents/packets containing the keyword?

Thanks for your willingness to help and replies in advance.

regards,

linuxlrnr

Using string match to block emerging worm threads on the fly, when you do not run an IDS, would be a useful example. Using it to block access to websites is a bad example because iptables string matches are expensive, allow for circumvention and as such do not completely match your purpose. Why not use a filtering proxy instead?

Hi unSpawn,

Thanks for your answer explaining use of iptables.
In fact, I wrote a program to catch worm patterns and am using iptables to block the specific pattern.

In my case, during demo I am using small pattern size(8 bytes) as a worm and facebook pattern is one of the pattern (random selection - for demo purpose - no big thought on selection) - that is to be consideerd as worm (again for demo purpose). So, my program is generating iptables rule for that pattern and I expected iptables pattern matching to work fine but in demo it did not worked the way it should.

The firewall rule blocks search in

m.www.yahoo.com - yahoo home page
altavista.com
www.wikipedia.org

it blocks even facebook.com

but, it does not block search in

search.yahoo.com
google.com
bing.com
ask.com
...

My point is should not it block the pattern it is set to block.
In spite of my purpose being catching worms only, I am more concerned about functioning of iptables.

I will appreciate if you can explain me why it did not blocked some pages while blocked the others.

Thanks for your previous reply.

linuxlrnr

interesting, i think i also will listen to reply.
i was also wondering what if i enter not "facebook" but "fAcebook". will that rule still block it? =) or will you try all letters in all cases?

Matches like '/sbin/iptables -t raw -I PREROUTING 1 -m string --algo bm --hex-string "|68 74 74 70 3a 2f 2f|" -j LOG --log-prefix "string_http "' work OK for me. iptables 1.3.5 (-5.3.el5_4.1) here though. You could test different major iptables versions or get on the netfilter mailing list.


Not to keep you from reinventing the wheel or so but have you ever looked at fwsnort or L7 or distributions that ship them as part of their default setup?