Linux - Software This forum is for Software issues.
Having a problem installing a new program? Want to know which application is best for the job? Post your question in this forum. |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
|
03-30-2009, 10:16 PM
|
#1
|
LQ Newbie
Registered: Feb 2006
Posts: 6
Rep:
|
Blocking UDP packet
I want to deny a particular malicious UDP packet. I can readily identify this packet from the rest by looking at the data section, where data offset 2 is 0xaa, data[5] is 0xbb, etc. Are there any tools or code samples that can do this?
Basically, instead of seeing the packet in the following tcpdump, I want to block it. I started to write a proxy but realized I would need to keep sessions and that's a nightmare. Is there an easier way to do this? The firewalls I've seen only block based on port, not on data payload.
tcpdump -i eth1 udp[2:1] = 0xaa and udp[5:2] = 0xbbcc
|
|
|
04-01-2009, 03:46 AM
|
#2
|
Member
Registered: Feb 2008
Location: JHB South Africa
Distribution: Centos, Kubuntu, Cross LFS, OpenSolaris
Posts: 806
Rep:
|
Not all firewalls are just based on port and stuff, iptables can match by strings. Take a look at the man page or run the command
Code:
iptables -m string -h
|
|
|
04-01-2009, 02:42 PM
|
#3
|
LQ Newbie
Registered: Feb 2006
Posts: 6
Original Poster
Rep:
|
Quote:
Originally Posted by datopdog
Not all firewalls are just based on port and stuff, iptables can match by strings. Take a look at the man page or run the command
Code:
iptables -m string -h
|
Yeah, I finally found a way to do it in ip tables, although it's not often documented.
iptables -m string --hex-string "0xaabb" --from <byte> --to byte --algo bm
or
iptables -m u32 --u32 "Start&Mask=Range"
And that's working great for me. Are there anything similar on the windows platform?
|
|
|
04-08-2009, 05:07 AM
|
#4
|
Senior Member
Registered: Oct 2004
Location: Houston, TX (usa)
Distribution: MEPIS, Debian, Knoppix,
Posts: 4,727
|
From man:/iptables:
Quote:
u32
U32 allows you to extract quantities of up to 4 bytes from a packet, AND them with specified masks, shift them by specified amounts and test whether the results are in any of a set of specified ranges. The specification of what to extract is general enough to skip over headers with lengths stored in the packet, as in IP or TCP header lengths.
(Please note: This match requires kernel support that might not be available in official Linux kernel sources or Debian's packaged Linux kernel sources. And if support for this match is available for the specific Linux kernel source version, that support might not be enabled in the current Linux kernel binary.)
Details and examples are in the kernel module source.
|
N.B. the underlined note -- this may not be available to all readers.
No thread on iptables would be complete w/o links to
Oskar Andreasson's (<oan@frozentux.net>) Iptables Tutorial found at: http://iptables-tutorial.frozentux.net/
There is an unnumbered "pretty" version at linuxtopia.org.
|
|
|
All times are GMT -5. The time now is 09:52 PM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|