0

anyone knows if is possible to use only one rule to drop any UDP packet that contain a fixed characters followed by any number between 13 and 90. I tried string, hex-string, had a look at u32 but the offset inside the packet can be anything between 150-300...my understanding is that I can't do it if I don't have a specific one. No luck on setting numbers. At one point I just wanted to drop anything that contains two digits or two characters after that sequence.

iptables -I FORWARD -p udp --dport 3388:3389 -m string --string 'ichannel":-[1-8][0-9]' --algo bm -j DROP

This rule won't match anything. ichannel":- is the fixed text followed by 1, 2 or 3 numbers.

Any help is greatly appreciated. Thank you!

crixu
  • 1
  • for the numbers could be used somekind of regex like a ? or * – djdomi Apr 22 '23 at 19:44
  • With the limited scope of 2 numbers you could do a [loop unrolling](https://en.wikipedia.org/wiki/Loop_unrolling) and do ~ 80 string searches. With some optimization the worst number of tests could be shortened somewhat (~ 8+10 instead of ~ 8x10). Else you can filter traffic in userland with NFQUEUE but this requires creating such userland filter. Being exhaustive requires to test ten times more (a total of ~ 800 but possibly only 8+10+10 runtime done): to verify that for each 2 digits match, there's not a 3rd. – A.B Apr 23 '23 at 10:18
  • @djdomi no regex, I've tried but I don't have the module and can't install it, however I've read that's isn't the best option resource wise. Thanks for suggestion. – crixu Apr 23 '23 at 17:15
  • @A.B I had a look at the loop but is too much over my understanding. I need one line or a reduced number of lines because is annoying having over 80 lines and I have to scroll, re-scroll, etc. Thanks! – crixu Apr 23 '23 at 17:18

0 Answers0