Hi,
You're trying to match information that is not yet available.
The first tcp/dst 22 packet will not match any of your @ih packets,
because it's just a SYN without payload:
On 30-05-2024 09:27, Pascal Ernster wrote:
multiplexing SSH and TLS on TLS port 443. The idea is to match the
"SSH-" string in the TCP payload of the SSH client's first packet of the
[...]>> ct state { established, related } accept comment "allow
tracked connections"
[...]
tcp dport 22 @ih,0,32 0x5353482d counter packets 0 bytes 0 log
prefix "##### SSH DEBUG 1 ##### " flags all accept comment "allow SSH-
via SSH port"
tcp dport 22 @ih,0,32 != 0x5353482d counter packets 0 bytes 0
log prefix "##### SSH DEBUG 2 ##### " flags all accept comment "allow
SSH- via SSH port"
tcp dport 22 counter packets 1 bytes 80 log prefix "##### SSH
DEBUG 3 ##### " flags all accept comment "allow SSH- via SSH port"
... but it *will* match this one:
tcp dport 22 accept comment "allow ssh"
And afterwards, packets will be accepted based on the "ct state
established" rule at the beginning of your script and not hit any
further rules.
As your @ih information will only be available in an established
connection (i.e. packet number 3 or so), it will never be reached.
Also, as Florian says:
- you cannot redirect a connection to another port once it has already
been established;
- while at the same time, you cannot distinguish between SSH or HTTPS
without having an established connection.
V.
--
Durgerdamstraat 29, 1507 JL Zaandam; telefoon 075-7100071
