Hello Linux masters..

I have a big problem regarding IPTABLES -m string --hex-string. I guess this is just little to you guys..

I have an application using an specific port and accessible via internet. My OS is Oracle Linux 6.5 x64 and my iptables version is 1.4.7..

iptables -A INPUT -p tcp --dport 15998 -m string --hex-string '|e2b70e0000000000|' --algo bm -j DROP

The above command is not working I can still send a packet containing that hex code.

I just want to drop the packet if that hex-string mention is there in that position (it always in that position)..

Not a master, but learning. I wasn't aware that netfilter supported pattern matching. Thanks!

A few guesses:

• you say you can still "send a packet". If you want to filter outgoing packets, you need to use the OUTPUT chain, not INPUT.
• After "iptables -A", the rule is the last one in the chain. Could there be an earlier rule that ACCEPTs the packet?
• your hex-string is wrong.

Have you tried logging? Add a rule with -j LOG to the beginning of the chain (use "iptables -I"); if the packet matches this rule, it will be written to the system log. There are a few options to modify the log string; see the man page.

What I mean about "still can send a packet" is I am testing to send that bad packets to my server to see if the rule is really dropping it..
Yes there is but when I try the remove that first ACCEPT, still not dropping a packet with that hex data..
If its wrong what would be the right thing?

http://oi58.tinypic.com/2igcg76.jpg

Perhaps a big/little-endian problem, I thought, so I tried it out myself. I added this rule at the beginning of INPUT:

and used a simple network client program that I had lying around to send exactly this string to port 22. Result: The following line in /var/log/messages:

So it seems to work. You must be missing something, perhaps wrong port or other mistakes; the log facility should help you understand what's happening.