Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
Iptables string matching help
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
KaratemanTJ
n00b
n00b


Joined: 19 Jan 2013
Posts: 4

PostPosted: Sat Jan 19, 2013 2:27 pm    Post subject: Iptables string matching help Reply with quote

Greeting,

I am fairly new to iptables and am having issues getting string matching working. I think I have enabled everything in the kernel that I need, but I can't figure it out. :oops:

I was hoping someone could walk me through enabling the required modules, etc. and figuring out what I'm missing.

Thanks in advance!

*Trevor
Back to top
View user's profile Send private message
PaulBredbury
Watchman
Watchman


Joined: 14 Jul 2005
Posts: 7310

PostPosted: Sat Jan 19, 2013 3:12 pm    Post subject: Reply with quote

A code sample:
Code:
ipt=/usr/sbin/iptables

...

# http://thiemonagel.de/2006/02/preventing-brute-force-attacks-using-iptables-recent-matching/
# http://spamcleaner.org/en/misc/w00tw00t.html
# man iptables-extensions
$ipt -N httphack
$ipt -A httphack -j LOG --log-level warning --log-prefix "httphack: "
# Add to blacklist and drop
$ipt -A httphack -m recent --name blacklist --set -j DROP
$ipt -N httpcheck
# If in blacklist, then drop
$ipt -A httpcheck -m recent --name blacklist --rcheck --seconds 900 -j DROP
for s in "/w00tw00t.at." "/phpMyAdmin" "http://login." "/admin/" "/azenz" "/db/" "/pma/" "/web/" "/websql/" "/myadmin/" "/xampp/" "http://proxy" ; do
    $ipt -A httpcheck -m string --to 60 --algo bm --string "GET $s" -j httphack
done
$ipt -A httpcheck -m string --to 60 --algo bm --string "/sprawdza.php" -j httphack
# Check already-set-up HTTP connections (much more difficult to spoof)
$ipt -A INPUT -p tcp --dport 80 -m conntrack --ctstate RELATED,ESTABLISHED -j httpcheck
Back to top
View user's profile Send private message
KaratemanTJ
n00b
n00b


Joined: 19 Jan 2013
Posts: 4

PostPosted: Sat Jan 19, 2013 9:53 pm    Post subject: Code Sample Reply with quote

Code:

Trevor-VPN-65 ~ # cat ipt_code_sample
ipt=/sbin/iptables


# http://thiemonagel.de/2006/02/preventing-brute-force-attacks-using-iptables-recent-matching/
# http://spamcleaner.org/en/misc/w00tw00t.html
# man iptables-extensions
$ipt -N httphack
$ipt -A httphack -j LOG --log-level warning --log-prefix "httphack: "
# Add to blacklist and drop
$ipt -A httphack -m recent --name blacklist --set -j DROP
$ipt -N httpcheck
# If in blacklist, then drop
$ipt -A httpcheck -m recent --name blacklist --rcheck --seconds 900 -j DROP
for s in "/w00tw00t.at." "/phpMyAdmin" "http://login." "/admin/" "/azenz" "/db/" "/pma/" "/web/" "/websql/" "/myadmin/" "/xampp/" "http://proxy" ; do
    $ipt -A httpcheck -m string --to 60 --algo bm --string "GET $s" -j httphack
done
$ipt -A httpcheck -m string --to 60 --algo bm --string "/sprawdza.php" -j httphack
# Check already-set-up HTTP connections (much more difficult to spoof)
$ipt -A INPUT -p tcp --dport 80 -m conntrack --ctstate RELATED,ESTABLISHED -j httpcheck
Trevor-VPN-65 ~ # . ipt_code_sample
iptables: No chain/target/match by that name.
iptables: No chain/target/match by that name.
Trevor-VPN-65 ~ #


:(

Code:

Trevor-VPN-65 ~ # iptables -F
Trevor-VPN-65 ~ # $ipt -N httphack
iptables: Chain already exists.
Trevor-VPN-65 ~ # $ipt -A httphack -j LOG --log-level warning --log-prefix "httphack: "
Trevor-VPN-65 ~ # $ipt -A httphack -m recent --name blacklist --set -j DROP
iptables: No chain/target/match by that name.
Trevor-VPN-65 ~ # $ipt -N httpcheck
iptables: Chain already exists.
Trevor-VPN-65 ~ # $ipt -A httphack -j LOG --log-level warning --log-prefix "httphack: "
Trevor-VPN-65 ~ # $ipt -A httphack -m recent --name blacklist --set -j DROP
iptables: No chain/target/match by that name.
Trevor-VPN-65 ~ # $ipt -N httpcheck
iptables: Chain already exists.
Trevor-VPN-65 ~ # $ipt -A httpcheck -m recent --name blacklist --rcheck --seconds 900 -j DROP
iptables: No chain/target/match by that name.
Trevor-VPN-65 ~ # for s in "/w00tw00t.at." "/phpMyAdmin" "http://login." "/admin/" "/azenz" "/db/" "/pma/" "/web/" "/websql/" "/myadmin/" "/xampp/" "http://proxy" ; do
> $ipt -A httpcheck -m string --to 60 --algo bm --string "GET $s" -j httphack
> done
Trevor-VPN-65 ~ # $ipt -A httpcheck -m string --to 60 --algo bm --string "/sprawdza.php" -j httphack
Trevor-VPN-65 ~ # $ipt -A INPUT -p tcp --dport 80 -m conntrack --ctstate RELATED,ESTABLISHED -j httpcheck
Trevor-VPN-65 ~ #


So it looks like string matching is working...? Just not the "recent" matching. Does that sound right?
Back to top
View user's profile Send private message
PaulBredbury
Watchman
Watchman


Joined: 14 Jul 2005
Posts: 7310

PostPosted: Sun Jan 20, 2013 12:08 am    Post subject: Re: Code Sample Reply with quote

KaratemanTJ wrote:
Trevor-VPN-65 ~ # $ipt -N httpcheck
iptables: Chain already exists.

You want: iptables -X

man iptables will show what this does.

I think you need the kernel option: NETFILTER_XT_MATCH_RECENT
Back to top
View user's profile Send private message
KaratemanTJ
n00b
n00b


Joined: 19 Jan 2013
Posts: 4

PostPosted: Sun Jan 20, 2013 12:03 pm    Post subject: Reply with quote

Thanks for the help! Using a custom chain had solved the "No chain/target/match by that name." issues I was having before for a bit, but my issue is now that it seems to not actually be using the string match like it should. I'm trying to do some NAT routing based on strings (HOST: hostnamehere). If there's a nicer way of doing that I'd be interested in hearing about it, but until then I'll keep following this route...

My original method was by port and was setup like so:
Code:

Trevor-VPN-65 trevor # $ipt -t nat -A POSTROUTING -j MASQUERADE
Trevor-VPN-65 trevor # $ipt -t nat -A PREROUTING -p tcp --dport 8080 -j DNAT --to-destination 10.9.7.4:80



This works nicely and forwards port 8080 to my webserver. I have similar rules that forward other ports to different port on different servers/computers. I would like to be able to forward based on strings in the packet.
I would assume something like this should work, but I'm having issues.
Code:

Trevor-VPN-65 trevor # $ipt -t nat -F
Trevor-VPN-65 trevor # $ipt -t nat -L
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination

Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination
Trevor-VPN-65 trevor # $ipt -t nat -N httpRedir
Trevor-VPN-65 trevor # $ipt -t nat -A PREROUTING -p tcp --dport 80 -j httpRedir
Trevor-VPN-65 trevor # $ipt -t nat -A POSTROUTING -j MASQUERADE
Trevor-VPN-65 trevor # $ipt -t nat -A httpRedir -p tcp -m string --string "teststring" --algo bn -j DNAT --to-destination 10.9.7.4:80
iptables: No chain/target/match by that name.
Trevor-VPN-65 trevor #


I'm pretty sure at one point I got a rule like that to work, or at least it didn't complain when I added it, but even then it wasn't actually working.

Any thoughts? Thanks again for all your help, ipt is beginning to make a lot more sense than it used to! =)

*Trevor
Back to top
View user's profile Send private message
KaratemanTJ
n00b
n00b


Joined: 19 Jan 2013
Posts: 4

PostPosted: Mon Jan 28, 2013 10:25 pm    Post subject: Hello? Reply with quote

Help..? =(

Anyone have any advice? I don't know where to go from here.

*Trevor
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum