Le lun 04/11/2002 à 11:14, Arkadiusz Miskiewicz a écrit : > iptables -A INPUT -m string --string "xyztest" -j LOG --log-prefix "xyztest: " -m state --state NEW,ESTABLISHED,RELATED > > [misiek@ikar misiek]$ telnet misie.k.pl 25 > Trying 156.17.236.105... > Connected to misie.k.pl. > Escape character is '^]'. > 220 misie.k.pl ESMTP Exim 4.10 Mon, 04 Nov 2002 11:11:18 +0100 > xyztest > 500 unrecognized command > > - Nov 4 11:11:20 arm kernel: xyztest: IN=eth0 OUT= MAC=00:10:22:fe:5a:91:00:02:44:1f:f3:b4:08:00 SRC=156.17.235.253 DST=156.17.236.105 LEN=61 TOS=0x10 PREC=0x00 TTL=62 ID=53540 DF PROTO=TCP SPT=2637 DPT=25 WINDOW=5840 RES=0x00 ACK PSH URGP=0 > (logged packet which contains xyztest packet) > > tralala > 500 unrecognized command > > - nothing logged > > Why is this not working - there is ESTABILISHED,RELATED rule - any ideas? > (I have conntrack modules loaded). I do not see your problem. You want to log packets that : . contains string "xyztest" AND . are NEW, ESTABLISHED or RELATED The first packet logued matches, but not the second as it does not contains string "xyztest". So, WTF ? :))) If you want to log the whole session that follows a packet containing string "xyztest", then it will be a little more tricky. You have to use the patch-o-matic CONNMARK patch (extra section) which provides a target to set per connection mark, and a connmark match to match against it. By the way, I did not tested it... -- Cédric Blancher <blancher@cartel-securite.fr> Consultant en sécurité des systèmes et réseaux - Cartel Sécurité Tél: +33 (0)1 44 06 97 87 - Fax: +33 (0)1 44 06 97 99 PGP KeyID:157E98EE FingerPrint:FA62226DA9E72FA8AECAA240008B480E157E98EE
