View previous topic :: View next topic |
Author |
Message |
KaratemanTJ n00b
Joined: 19 Jan 2013 Posts: 4
|
Posted: Sat Jan 19, 2013 2:27 pm Post subject: Iptables string matching help |
|
|
Greeting,
I am fairly new to iptables and am having issues getting string matching working. I think I have enabled everything in the kernel that I need, but I can't figure it out.
I was hoping someone could walk me through enabling the required modules, etc. and figuring out what I'm missing.
Thanks in advance!
*Trevor |
|
Back to top |
|
|
PaulBredbury Watchman
Joined: 14 Jul 2005 Posts: 7310
|
Posted: Sat Jan 19, 2013 3:12 pm Post subject: |
|
|
A code sample:
Code: | ipt=/usr/sbin/iptables
...
# http://thiemonagel.de/2006/02/preventing-brute-force-attacks-using-iptables-recent-matching/
# http://spamcleaner.org/en/misc/w00tw00t.html
# man iptables-extensions
$ipt -N httphack
$ipt -A httphack -j LOG --log-level warning --log-prefix "httphack: "
# Add to blacklist and drop
$ipt -A httphack -m recent --name blacklist --set -j DROP
$ipt -N httpcheck
# If in blacklist, then drop
$ipt -A httpcheck -m recent --name blacklist --rcheck --seconds 900 -j DROP
for s in "/w00tw00t.at." "/phpMyAdmin" "http://login." "/admin/" "/azenz" "/db/" "/pma/" "/web/" "/websql/" "/myadmin/" "/xampp/" "http://proxy" ; do
$ipt -A httpcheck -m string --to 60 --algo bm --string "GET $s" -j httphack
done
$ipt -A httpcheck -m string --to 60 --algo bm --string "/sprawdza.php" -j httphack
# Check already-set-up HTTP connections (much more difficult to spoof)
$ipt -A INPUT -p tcp --dport 80 -m conntrack --ctstate RELATED,ESTABLISHED -j httpcheck |
|
|
Back to top |
|
|
KaratemanTJ n00b
Joined: 19 Jan 2013 Posts: 4
|
Posted: Sat Jan 19, 2013 9:53 pm Post subject: Code Sample |
|
|
Code: |
Trevor-VPN-65 ~ # cat ipt_code_sample
ipt=/sbin/iptables
# http://thiemonagel.de/2006/02/preventing-brute-force-attacks-using-iptables-recent-matching/
# http://spamcleaner.org/en/misc/w00tw00t.html
# man iptables-extensions
$ipt -N httphack
$ipt -A httphack -j LOG --log-level warning --log-prefix "httphack: "
# Add to blacklist and drop
$ipt -A httphack -m recent --name blacklist --set -j DROP
$ipt -N httpcheck
# If in blacklist, then drop
$ipt -A httpcheck -m recent --name blacklist --rcheck --seconds 900 -j DROP
for s in "/w00tw00t.at." "/phpMyAdmin" "http://login." "/admin/" "/azenz" "/db/" "/pma/" "/web/" "/websql/" "/myadmin/" "/xampp/" "http://proxy" ; do
$ipt -A httpcheck -m string --to 60 --algo bm --string "GET $s" -j httphack
done
$ipt -A httpcheck -m string --to 60 --algo bm --string "/sprawdza.php" -j httphack
# Check already-set-up HTTP connections (much more difficult to spoof)
$ipt -A INPUT -p tcp --dport 80 -m conntrack --ctstate RELATED,ESTABLISHED -j httpcheck
Trevor-VPN-65 ~ # . ipt_code_sample
iptables: No chain/target/match by that name.
iptables: No chain/target/match by that name.
Trevor-VPN-65 ~ #
|
Code: |
Trevor-VPN-65 ~ # iptables -F
Trevor-VPN-65 ~ # $ipt -N httphack
iptables: Chain already exists.
Trevor-VPN-65 ~ # $ipt -A httphack -j LOG --log-level warning --log-prefix "httphack: "
Trevor-VPN-65 ~ # $ipt -A httphack -m recent --name blacklist --set -j DROP
iptables: No chain/target/match by that name.
Trevor-VPN-65 ~ # $ipt -N httpcheck
iptables: Chain already exists.
Trevor-VPN-65 ~ # $ipt -A httphack -j LOG --log-level warning --log-prefix "httphack: "
Trevor-VPN-65 ~ # $ipt -A httphack -m recent --name blacklist --set -j DROP
iptables: No chain/target/match by that name.
Trevor-VPN-65 ~ # $ipt -N httpcheck
iptables: Chain already exists.
Trevor-VPN-65 ~ # $ipt -A httpcheck -m recent --name blacklist --rcheck --seconds 900 -j DROP
iptables: No chain/target/match by that name.
Trevor-VPN-65 ~ # for s in "/w00tw00t.at." "/phpMyAdmin" "http://login." "/admin/" "/azenz" "/db/" "/pma/" "/web/" "/websql/" "/myadmin/" "/xampp/" "http://proxy" ; do
> $ipt -A httpcheck -m string --to 60 --algo bm --string "GET $s" -j httphack
> done
Trevor-VPN-65 ~ # $ipt -A httpcheck -m string --to 60 --algo bm --string "/sprawdza.php" -j httphack
Trevor-VPN-65 ~ # $ipt -A INPUT -p tcp --dport 80 -m conntrack --ctstate RELATED,ESTABLISHED -j httpcheck
Trevor-VPN-65 ~ #
|
So it looks like string matching is working...? Just not the "recent" matching. Does that sound right? |
|
Back to top |
|
|
PaulBredbury Watchman
Joined: 14 Jul 2005 Posts: 7310
|
Posted: Sun Jan 20, 2013 12:08 am Post subject: Re: Code Sample |
|
|
KaratemanTJ wrote: | Trevor-VPN-65 ~ # $ipt -N httpcheck
iptables: Chain already exists. |
You want: iptables -X
man iptables will show what this does.
I think you need the kernel option: NETFILTER_XT_MATCH_RECENT |
|
Back to top |
|
|
KaratemanTJ n00b
Joined: 19 Jan 2013 Posts: 4
|
Posted: Sun Jan 20, 2013 12:03 pm Post subject: |
|
|
Thanks for the help! Using a custom chain had solved the "No chain/target/match by that name." issues I was having before for a bit, but my issue is now that it seems to not actually be using the string match like it should. I'm trying to do some NAT routing based on strings (HOST: hostnamehere). If there's a nicer way of doing that I'd be interested in hearing about it, but until then I'll keep following this route...
My original method was by port and was setup like so:
Code: |
Trevor-VPN-65 trevor # $ipt -t nat -A POSTROUTING -j MASQUERADE
Trevor-VPN-65 trevor # $ipt -t nat -A PREROUTING -p tcp --dport 8080 -j DNAT --to-destination 10.9.7.4:80
|
This works nicely and forwards port 8080 to my webserver. I have similar rules that forward other ports to different port on different servers/computers. I would like to be able to forward based on strings in the packet.
I would assume something like this should work, but I'm having issues.
Code: |
Trevor-VPN-65 trevor # $ipt -t nat -F
Trevor-VPN-65 trevor # $ipt -t nat -L
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
Trevor-VPN-65 trevor # $ipt -t nat -N httpRedir
Trevor-VPN-65 trevor # $ipt -t nat -A PREROUTING -p tcp --dport 80 -j httpRedir
Trevor-VPN-65 trevor # $ipt -t nat -A POSTROUTING -j MASQUERADE
Trevor-VPN-65 trevor # $ipt -t nat -A httpRedir -p tcp -m string --string "teststring" --algo bn -j DNAT --to-destination 10.9.7.4:80
iptables: No chain/target/match by that name.
Trevor-VPN-65 trevor #
|
I'm pretty sure at one point I got a rule like that to work, or at least it didn't complain when I added it, but even then it wasn't actually working.
Any thoughts? Thanks again for all your help, ipt is beginning to make a lot more sense than it used to! =)
*Trevor |
|
Back to top |
|
|
KaratemanTJ n00b
Joined: 19 Jan 2013 Posts: 4
|
Posted: Mon Jan 28, 2013 10:25 pm Post subject: Hello? |
|
|
Help..? =(
Anyone have any advice? I don't know where to go from here.
*Trevor |
|
Back to top |
|
|
|