Just as I suspected. This is not good news for what I would like to do. Why is it that iptables does not allow "fowarding" on the imput line? Is it becuase the filter table is not capable of this? I have been able to succesfully PREROUTE the service I wanted with a redirect line. However this is only HALF the implimentation I need... Given the fact that matches are almost always useless in PREROUTING. Since only the first packet is examined(I'm fairly certain that what I need to check for is not in that first packet). I would like to propose a question to the netfilter community(seeing as I am at a complete loss for a soloution here). How can I sepperate requests to a machine by a matched string? Once this is done how can I then direct certain requests one way and certain request another way(doesn't need to be another IP but does need to be another port)? I will post what I have been testing with and perhaps everyone else out there can help me build and actually bring about a soloution. #iptables -A INPUT -p tcp -m string --string ".exe" -j LOG --log-prefix "CODE RED " #iptables -A INPUT -p tcp -m string --string ".exe" -j REJECT --reject-with tcp-reset In the begining I tested these lines. The desired effect was nice! I could both log and reject connections. The downside to this is it causes kernel panics. NOT ACCEPTABLE! # Works #iptables -t nat -A PREROUTING -p tcp --dport 81 -j REDIRECT --to-ports 80 # Does not work! #iptables -t nat -A PREROUTING -p tcp --dport 81 -m string --string "exe" -j REDIRECT --to-ports 80 Keeping in mind that these rules are for complete testing and not pratical use, I used them to see if the REDIRECT worked and it does. However the string matching does not.(Leading me to believe what I need to match is not in the first packet.) Someone out there must know a way to work around this and it would be most handy for more than just me if this technique could be implimented. Thanks so much to Ralf Spenneberg for answering the first mail. I hope others and him can help me resolve this issue. IT'S PLAUGING MY THOUGHTS!!!! SBlaze --- Ralf Spenneberg <lists@xxxxxxxxxxxxxx> wrote: > Hi, > > Am Fre, 2003-08-15 um 11.29 schrieb SBlaze: > > I've been toying around with the idea of redirecting unwanted traffic to > the > > discard surface. I'm having trouble understanding some concepts though. > Could > > anyone please explain this in more detail or perhaps suggest a way to > > accomplish this. > > > > On the filter tables using IMPUT there is no way to change or alter the > > destination of packets and cause them to be sent to another port? > No. You cannot change the source or destination in the filter table. Use > the nat table for this. In the nat table you can change the source > (POSTROUTING) and the destination (PREROUTING, OUTPUT) > > > > > Using the POSTROUTING chain in the nat table is impoosible to effectively > > filter traffic via specific matches due to the fact that POSTROUTED packets > are > > sort of "lumped together" for lack of a better way to explain it? > You want the PREROUTING chain since you want to redirect (change the > destination). > > And yes, when using NAT you only see the first packet of each connection > in the nat table. All other packets are automatically natted > identically. > > Cheers, > > Ralf > -- > Ralf Spenneberg > RHCE, RHCX > > Book: Intrusion Detection für Linux Server http://www.spenneberg.com > IPsec-Howto http://www.ipsec-howto.org > Honeynet Project Mirror: http://honeynet.spenneberg.org ===== "Winky is not knowing how sir, winky is not knowing how?" -=Winky / Harry Potter and the Goblet of Fire=-" __________________________________ Do you Yahoo!? Yahoo! SiteBuilder - Free, easy-to-use web site design software http://sitebuilder.yahoo.com
