LinuxQuestions.org
Latest LQ Deal: Linux Power User Bundle
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 04-10-2014, 05:00 PM   #1
PX2000
LQ Newbie
 
Registered: Apr 2014
Posts: 2

Rep: Reputation: Disabled
IPTables accurate hex-string


Hello Linux masters..

I have a big problem regarding IPTABLES -m string --hex-string. I guess this is just little to you guys..

I have an application using an specific port and accessible via internet. My OS is Oracle Linux 6.5 x64 and my iptables version is 1.4.7..

iptables -A INPUT -p tcp --dport 15998 -m string --hex-string '|e2b70e0000000000|' --algo bm -j DROP

The above command is not working I can still send a packet containing that hex code.

I just want to drop the packet if that hex-string mention is there in that position (it always in that position)..

Last edited by unSpawn; 04-10-2014 at 07:17 PM. Reason: //Removed i58.tinypic.com/2igcg76.jpg cant find it anyway.
 
Old 04-10-2014, 11:00 PM   #2
berndbausch
Senior Member
 
Registered: Nov 2013
Location: Tokyo
Distribution: Redhat/Centos, Ubuntu, Raspbian, Fedora
Posts: 2,043

Rep: Reputation: 435Reputation: 435Reputation: 435Reputation: 435Reputation: 435
Quote:
Originally Posted by PX2000 View Post
Hello Linux masters..

I have a big problem regarding IPTABLES -m string --hex-string. I guess this is just little to you guys..
Not a master, but learning. I wasn't aware that netfilter supported pattern matching. Thanks!

Quote:
iptables -A INPUT -p tcp --dport 15998 -m string --hex-string '|e2b70e0000000000|' --algo bm -j DROP

The above command is not working I can still send a packet containing that hex code.
A few guesses:
  • you say you can still "send a packet". If you want to filter outgoing packets, you need to use the OUTPUT chain, not INPUT.
  • After "iptables -A", the rule is the last one in the chain. Could there be an earlier rule that ACCEPTs the packet?
  • your hex-string is wrong.

Have you tried logging? Add a rule with -j LOG to the beginning of the chain (use "iptables -I"); if the packet matches this rule, it will be written to the system log. There are a few options to modify the log string; see the man page.
 
Old 04-11-2014, 01:51 AM   #3
PX2000
LQ Newbie
 
Registered: Apr 2014
Posts: 2

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by berndbausch View Post
  • you say you can still "send a packet". If you want to filter outgoing packets, you need to use the OUTPUT chain, not INPUT.
  • After "iptables -A", the rule is the last one in the chain. Could there be an earlier rule that ACCEPTs the packet?
  • your hex-string is wrong.
What I mean about "still can send a packet" is I am testing to send that bad packets to my server to see if the rule is really dropping it..
Yes there is but when I try the remove that first ACCEPT, still not dropping a packet with that hex data..
If its wrong what would be the right thing?

http://oi58.tinypic.com/2igcg76.jpg
 
Old 04-11-2014, 10:52 PM   #4
berndbausch
Senior Member
 
Registered: Nov 2013
Location: Tokyo
Distribution: Redhat/Centos, Ubuntu, Raspbian, Fedora
Posts: 2,043

Rep: Reputation: 435Reputation: 435Reputation: 435Reputation: 435Reputation: 435
Quote:
Originally Posted by PX2000 View Post
What I mean about "still can send a packet" is I am testing to send that bad packets to my server to see if the rule is really dropping it..
Yes there is but when I try the remove that first ACCEPT, still not dropping a packet with that hex data..
If its wrong what would be the right thing?

http://oi58.tinypic.com/2igcg76.jpg
Perhaps a big/little-endian problem, I thought, so I tried it out myself. I added this rule at the beginning of INPUT:

Code:
iptables -I INPUT 1 -p tcp -m string --hex-string "|e2b70e0000000000|" --algo bm --to 65535 -j LOG --log-prefix "e2b70e0000000000 - "
and used a simple network client program that I had lying around to send exactly this string to port 22. Result: The following line in /var/log/messages:

Code:
Apr 11 16:39:46 controlcentos kernel: e2b70e0000000000 - IN=eth0 OUT= MAC=08:00:27:40:66:54:0a:00:27:00:00:00:08:00 SRC=192.168.0.254 DST=192.168.0.100 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=61991 DF PROTO=TCP SPT=54208 DPT=22 WINDOW=115 RES=0x00 ACK PSH URGP=0
So it seems to work. You must be missing something, perhaps wrong port or other mistakes; the log facility should help you understand what's happening.

Last edited by berndbausch; 04-11-2014 at 10:53 PM. Reason: typo
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
How to get hex offset of string otaku2k2 Linux - Software 6 01-30-2012 07:06 AM
[SOLVED] string to hex parser avee137 Programming 5 09-10-2011 05:41 PM
Hex String to ttysX digmeupnow Linux - Newbie 1 11-25-2008 04:33 AM
Hex output of a hex/ascii input string mlewis Programming 35 04-10-2008 01:05 PM
hex string to long in c rubadub Programming 5 07-26-2007 01:48 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 03:12 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration