Re: Cant get "tcp dport 22 @ih,0,32 0x5353482d" to work/match

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi,

You're trying to match information that is not yet available.

The first tcp/dst 22 packet will not match any of your @ih packets, because it's just a SYN without payload:

On 30-05-2024 09:27, Pascal Ernster wrote:
multiplexing SSH and TLS on TLS port 443. The idea is to match the "SSH-" string in the TCP payload of the SSH client's first packet of the
[...]>>         ct state { established, related } accept comment "allow
tracked connections"
[...]
        tcp dport 22 @ih,0,32 0x5353482d counter packets 0 bytes 0 log prefix "##### SSH DEBUG 1 ##### " flags all accept comment "allow SSH- via SSH port"         tcp dport 22 @ih,0,32 != 0x5353482d counter packets 0 bytes 0 log prefix "##### SSH DEBUG 2 ##### " flags all accept comment "allow SSH- via SSH port"         tcp dport 22 counter packets 1 bytes 80 log prefix "##### SSH DEBUG 3 ##### " flags all accept comment "allow SSH- via SSH port"

... but it *will* match this one:

        tcp dport 22 accept comment "allow ssh"

And afterwards, packets will be accepted based on the "ct state established" rule at the beginning of your script and not hit any further rules.

As your @ih information will only be available in an established connection (i.e. packet number 3 or so), it will never be reached.

Also, as Florian says:
- you cannot redirect a connection to another port once it has already been established; - while at the same time, you cannot distinguish between SSH or HTTPS without having an established connection.

V.
--
Durgerdamstraat 29, 1507 JL Zaandam; telefoon 075-7100071




[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux