Re: Layer 7 application blocking via tc/iptables?

Linux Advanced Routing and Traffic Control

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Fri, 29 Aug 2003 13:56:58 +0530, S Mohan <smohan@xxxxxxxx> wrote:
yes but its not simple because u32 can match at most 32 bits at a fixed offset. So if you want to check a string in layer 7 datas you must know at which position
it may appear, convert the string you what to check in hexa numbers and create a filter like this :

string : "isthisstringpresent?"
hexadecimal representation : 69 73 74 68 69 73 73 74 72 69 6e 67 70 72 65 73 65 6e 74 3f 0a

filter :

tc filter add dev eth0 parent 1:0 prio 1 u32 \
	match u32 0x69737468 0xffffffff at nexthdr+position \
	match u32 0x69737374 0xffffffff at nexthdr+position+4 \
	match u32 0x72696e67 0xffffffff at nexthdr+position+8 \
	match u32 0x70726573 0xffffffff at nexthdr+position+12 \
	match u32 0x656e743f 0xffffffff at nexthdr+position+16 \
	match u8  0x0a	   0xff	  at nexthdr+position+20 \
	protocol tcp \
	flowid ...

using the string iptables module is much easier and dont require to know strings position.

From the docs I've read, the U32 classifier itself can do this. May be worthwhile investigating.

Mohan

-----Original Message-----
From: lartc-admin@xxxxxxxxxxxxxxx [mailto:lartc-admin@xxxxxxxxxxxxxxx]On
Behalf Of Julien Gateaud
Sent: Friday, August 29, 2003 1:07 PM
To: Stef Coene; Derek; lartc@xxxxxxxxxxxxxxx
Subject: Re:  Layer 7 application blocking via tc/iptables?


On Thu, 28 Aug 2003 19:54:41 +0200, Stef Coene <stef.coene@xxxxxxxxx> wrote:

On Wednesday 27 August 2003 22:25, Derek wrote:
Hi All,


I hope this is the correct place to ask about this, but can someone give
me an example of blocking a certain application via the layer 7 patch
and iproute/iptables?

For more of a specific example, I'm trying to block certain instant
messaging clients on my network, and I have yet to find a way to do it
(using mark or otherwise).

Any help would be greatly appreciated!
Iptables can look at the packet contents. If you know how the clients are negotiating with the servers, you can block these packets. Or try to find out the ports and ip addresses and block these.

Stef

In patch-o-matic there is a module called string which match if a string is present into payload.
Maybe you could use that but i can't say if it's stable or not.




--
Julien Gateaud
Security Keepers S.A.
_______________________________________________
LARTC mailing list / LARTC@xxxxxxxxxxxxxxx
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
[Index of Archives]     [LARTC Home Page]     [Netfilter]     [Netfilter Development]     [Network Development]     [Bugtraq]     [GCC Help]     [Yosemite News]     [Linux Kernel]     [Fedora Users]
  Powered by Linux