LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Server
User Name
Password
Linux - Server This forum is for the discussion of Linux Software used in a server related context.

Notices


Reply
  Search this Thread
Old 06-24-2008, 04:26 PM   #1
bobbera
Member
 
Registered: Jun 2007
Posts: 39

Rep: Reputation: 0
String filtering using IPTABLES


Hi All .

I have a Tomcat web server behind a firewall ( iptables ) and I need to permit to external clients to post only specific string and get reply from the web server ( "demo" for example ) . Other stuff should be declined by iptables .

First I took care of the port forwarding - all web traffic to my external-interface:8001 is being forwarded to the internal:8001 one .And everything works OK , clients can get web reply from the Tomcat internal server .Then I try to allow only specific string requests adding next command :


iptables -A FORWARD -j DROP -p tcp -s 0.0.0.0/0 -m string ! --string "demo" --algo bm

It should do a job but it doesn't - external clients still can post any string in url path :

http://10.10.1.1:8001/bla-bla etc .

My default FORWARD policy is set to ACCEPT .

Looks like inverse ( ! ) command doesn't effect on the traffic .

Any ideas ?
Thanks .
 
Old 06-24-2008, 04:40 PM   #2
jomen
Senior Member
 
Registered: May 2004
Location: Leipzig/Germany
Distribution: Arch
Posts: 1,687

Rep: Reputation: 54
I consulted the man page for iptables.
It says:
Quote:
--string pattern
Matches the given pattern...
It does say nothing about the use of "!" to achieve the opposite result.
This inverse "!" match is not available I'd say.

I'd rewrite the rule to match the string to be allowed - and everything else dropped afterwards - if this is what you intended.
 
Old 06-25-2008, 02:22 AM   #3
bobbera
Member
 
Registered: Jun 2007
Posts: 39

Original Poster
Rep: Reputation: 0
Hi Joman .

I had the same idea more or less . Putting first in a rule string taht allowed and close other stuff . But what would be a ssecond rule . I played with default FORWARD policy but to no success .

When I implement next solution it blocks all the traffik :

iptables -A FORWARD -j ACCEPT -p tcp -m string --string "scp" --algo bm
iptables -A FORWARD -j DROP

About ! . Check next command: iptables -m string --help
UIt says follow among others : --string [!] string Match a string in a packet

Thanks man.
 
Old 06-25-2008, 03:13 AM   #4
jomen
Senior Member
 
Registered: May 2004
Location: Leipzig/Germany
Distribution: Arch
Posts: 1,687

Rep: Reputation: 54
I think you should add
--source-port or --destination-port
-s x.x.x.x/x
As it is now, you are dropping everything on any port with proto tcp not containing the string.

And yes you are right:
--string [!] string should work - it is just not explicitly in the man-page - the help tells different and should be correct.
Your first example should do what you want unless the options need to be in a certain order.

I have always written the rules so that the target (-j) was last in line - I'm not sure if it has to be like that.
I find it easier to read.
In all the examples I ever saw it was done like that.
So maybe this will help though it seems like black magic.
 
Old 06-25-2008, 05:37 AM   #5
bobbera
Member
 
Registered: Jun 2007
Posts: 39

Original Poster
Rep: Reputation: 0
That is exactly I'd like to have : "As it is now, you are dropping everything on any port with proto tcp not containing the string" If I understand you corretly .

I want to drop all packets not contain "scp" string :

ALLOW my string

1. iptables -A FORWARD -p tcp -m string --string "scp" --algo bm -j ACCEPT

and DROP all other stuff :

2 . either iptables -A FORWARD -p tcp -m string ! --string "scp" --algo bm -j REJECT

or iptables -A FORWARD -j DROP

do not provide a solution .

regards
 
Old 06-25-2008, 08:27 AM   #6
bobbera
Member
 
Registered: Jun 2007
Posts: 39

Original Poster
Rep: Reputation: 0
Looks like slution is found :


1. iptables exams first all TCP packets and only afterwards looks for match strings .That is why

iptabes -A FORWARD -p tcp --dport 8001 -j DROP blocked all the stuff .

2. string filtering takes into consideration ALL , absolutely ALL traffic . That is why command

iptables -A FORWARD -p tcp -m string ! --string "scp" --algo bm --to 65535 -j DROP

did not worked , since it does not distinguish between data(usl) and tcp service packets .

Here what works :

iptables -A FORWARD -p tcp -m tcp --tcp-flags PSH PSH -m string --string ! "scp" --algo bm --to 65535 -j LOG --log-prefix "NOT SCP:8001--" --log-level 6
iptables -A FORWARD -p tcp -m tcp --tcp-flags PSH PSH -m string --string ! "scp" --algo bm --to 65535 -j DROP
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
iptables mac filtering Ventrix Linux - Security 1 11-21-2007 07:29 PM
Paket Filtering (string) Bugger Linux - Security 7 01-11-2006 08:08 AM
String based filtering jacobm Linux - Security 2 01-07-2006 06:48 AM
Filtering in iptables mangle? MarleyGPN Linux - Networking 1 07-08-2005 01:54 PM
iptables and content filtering evan1821 Linux - Security 1 06-09-2004 01:03 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Server

All times are GMT -5. The time now is 10:32 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration