Is it possible to block text strings with IP tables?

abefroman · 06-07-2005, 10:00 PM

If I want to block all tcp packets which contain the string "hotmail.com" can I do that with IP tables?

Will something like this work?
iptables -I INPUT -j DROP -p tcp -m string --string "hotmail.com" -i eth0 -j

Matir · 06-07-2005, 10:24 PM

No, you cannot, plain and simple.

abefroman · 06-08-2005, 07:40 AM

It appears this firewall blocks strings with iptables:
http://www.infosecwriters.com/text_r...et/rc.firewall

How are they able to do it?

Capt_Caveman · 06-08-2005, 09:38 AM

http://www.netfilter.org/patch-o-mat...m-extra-string

There's actually a comment in the firewall that describes it: " DDoS_Prevent is experimental and requires "CONFIG_IP_NF_MATCH_STRING" as a module in your kernel. For more info check http://www.securityfocus.com/infocus/1531 "

The link describes the string match and POM in more detail.

Matir · 06-08-2005, 11:32 AM

Oops, I stand corrected. I was not aware of the experimental module. I would like to point out that if the contents of a page gets split over multiple packets, that could interfere with this matching.

abefroman · 06-19-2005, 12:39 PM

I have installed iptables version 1.31 and the latest kernel, but I do not see this option:
CONFIG_IP_NF_MATCH_STRING

bubba:/usr/src/linux # cat .config | grep MATCH_STRING
bubba:/usr/src/linux # cat .config | grep STRING
CONFIG_IPMI_PANIC_STRING=y

How do I get that option to apprear in my kernel?

win32sux · 06-19-2005, 12:51 PM

by applying the string match patch maybe??

abefroman · 06-19-2005, 12:57 PM

I installed patch-o-matic, it didnt seem to install the string match patch though, do you know where I get the string match patch ?

676 cd patch-o-matic-ng-20050618/
677 ls
678 less README
679 cat README
680 KERNEL_DIR=/usr/src/linux IPTABLES_DIR=/usr/src/iptables-1.3.1 ./runme pending

win32sux · 06-19-2005, 01:04 PM

AFAIK you wanna do a "./runme extra" and NOT a "./runme pending"...

abefroman · 06-19-2005, 01:12 PM

I tried extra, it doesnt prompt me for the string package. Got any tips?

It goes:
...........

Testing rtsp-conntrack... not applied
The rtsp-conntrack patch:

Testing sip-conntrack-nat... not applied
The sip-conntrack-nat patch:

Testing talk-conntrack-nat... not applied
The talk-conntrack-nat patch:

.........

According to this page:
http://www.netfilter.org/patch-o-matic/pom-extra.html
the CONFIG_IP_NF_MATCH_STRING should come inbetween rtsp-conntrack patch and talk-conntrack-nat patch but its not sip-conntrack-nat patch

Does anyone else get this?

RandomLinuxNewb · 06-19-2005, 06:34 PM

You could always setup a dns server on your network and then setup a zone for hotmail.com that points back to localhost or .

win32sux · 06-19-2005, 07:16 PM

wait, you are doing this string match thing just to block hotmail??

abefroman · 06-19-2005, 09:26 PM

And other things.

scuzzman · 06-20-2005, 05:48 AM

In the servers /etc/hosts file, just point hotmail.com (and any other domains) to 127.0.0.1

jonlake · 06-20-2005, 11:04 AM

Why don't you just block the IP address of www.hotmail.com