views:

365

answers:

2

Hi,

i am trying to write rules to drop any packet, irrespective if it is outgoing, incoming or being forwareded, which has a specific sub string in the tcp or udp payload, how am i suppose to do that?

A: 

Not sure this is the right place to be asking questions about systems administration however you might find the following helpful.

http://www.securityfocus.com/infocus/1531

Dean Smith
+2  A: 

You'd need a kernel compiled with Netfilter "String match support" enabled.

Then you can

iptables -A INPUT -m string --algo bm --string "test" -j DROP
iptables -A OUTPUT -m string --algo bm --string "test" -j DROP
iptables -A FORWARD -m string --algo bm --string "test" -j DROP

Check the result wth

iptables -L
Andomar
hi, i m using ubuntu kernel 2.6.8.11 kernel. i m trying to write some worm filtering utility on application layer using libpcap library. I set the above rules , but still not able to drop packets.do i need to install string matching support to iptables or is it present by default. is there any way to check it?
Kazoom
The iptables command would give an error if the module is not present, like "cannot open shared object file: No such file or directory". You could use a logging rule to see if the packets match the rule, for example: iptables -A INPUT -m string --string "test" -j LOG --log-level info --log-prefix "iptables-string-match"
Andomar