Quote:
Originally Posted by PX2000
What I mean about "still can send a packet" is I am testing to send that bad packets to my server to see if the rule is really dropping it..
Yes there is but when I try the remove that first ACCEPT, still not dropping a packet with that hex data..
If its wrong what would be the right thing?
http://oi58.tinypic.com/2igcg76.jpg
|
Perhaps a big/little-endian problem, I thought, so I tried it out myself. I added this rule at the beginning of INPUT:
Code:
iptables -I INPUT 1 -p tcp -m string --hex-string "|e2b70e0000000000|" --algo bm --to 65535 -j LOG --log-prefix "e2b70e0000000000 - "
and used a simple network client program that I had lying around to send exactly this string to port 22. Result: The following line in /var/log/messages:
Code:
Apr 11 16:39:46 controlcentos kernel: e2b70e0000000000 - IN=eth0 OUT= MAC=08:00:27:40:66:54:0a:00:27:00:00:00:08:00 SRC=192.168.0.254 DST=192.168.0.100 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=61991 DF PROTO=TCP SPT=54208 DPT=22 WINDOW=115 RES=0x00 ACK PSH URGP=0
So it seems to work. You must be missing something, perhaps wrong port or other mistakes; the log facility should help you understand what's happening.