iptables string match
 

i have a linux box which i use as a gateway/router firewall for other PC's on my LAN. I tried setting the following iptable rule

iptables -A FORWARD -p tcp --dport 80 -m string --string "cmd.exe" -j REJECT --reject-with tcp-reset

then using a puter on my LAN I google cmd.exe and opened a site ...page loaded in my browser...shoot no luck!!

so again..

iptables -A INPUT -p tcp --dport 80 -m string --string "cmd.exe" -j DROP

again page loaded successfully

so..

iptables -I INPUT 1 -m string --string "cmd.exe" -j DROP (this had got to work!!!)

whoopee worked like a charm

anyone know why the first 2 rules didnt work???

oh and btw ....-m string --string "KazaaClient" doesnt work...dammit....anyone used p2pwall before??

It would depend on the other rules. For instance if you have a rule that allows ESTABLISHED, RELATED (which is very common) and it is before the string match and it is set to ACCEPT then the packet would probably not hit the string rule. Because the google search was initiated by you so it became an ESTABLISHED connection and the page was loaded.

Thats my guess.

I've never used Kazaa.

You had the destination port in the rule for the INPUT not the source. As the data is coming from the other ends port 80 it is actually a source. If it where being requested from your computer then it would be a destination.

Got the convolluted picture?

only rule i have preceeding this is to DROP all connections (to make this a mostly closed rule) and to log all SYN, FIN, ACK, RST and NULL packets before dropping

will try to change --dport to --sport and see if it works