I am trying to write rules to drop any packet, irrespective if it is outgoing, incoming or being forwarded, which has a specific sub string in the TCP or UDP payload.
How am I suppose to do that?
Asked
Active
Viewed 2.9k times
1 Answers
18
You'd need a kernel compiled with Netfilter "String match support" enabled.
Then you can
iptables -A INPUT -m string --algo bm --string "test" -j DROP
iptables -A OUTPUT -m string --algo bm --string "test" -j DROP
iptables -A FORWARD -m string --algo bm --string "test" -j DROP
Check the result wth
iptables -L
-
hi, i m using ubuntu kernel 2.6.8.11 kernel. i m trying to write some worm filtering utility on application layer using libpcap library. I set the above rules , but still not able to drop packets. do i need to install string matching support to iptables or is it present by default. is there any way to check it? – Kazoom May 06 '09 at 03:49
-
The iptables command would give an error if the module is not present, like "cannot open shared object file: No such file or directory". You could use a logging rule to see if the packets match the rule, for example: iptables -A INPUT -m string --string "test" -j LOG --log-level info --log-prefix "iptables-string-match" – Andomar May 06 '09 at 10:52
-
iptables -A appends, you may want to use the -I option to insert at the top of the chain or specify a point to insert the rule; rules are evaluated in order and in some cases it may not produce the results you're expecting. – can.do Aug 01 '17 at 21:58