* Question about -m string module
@ 2005-02-04 15:23 Maxime Ducharme
2005-02-04 15:58 ` Samuel Jean
0 siblings, 1 reply; 4+ messages in thread
From: Maxime Ducharme @ 2005-02-04 15:23 UTC (permalink / raw)
To: netfilter
Hello guys
I have a question about -m string module and
I think you iptables geeks can answer me :)
Suppose I want to drop TCP connections with
specific requests.
Example : a mail which contains the word "sperm",
I'd add a rule like
$IPTABLES -t filter -A FORWARD -p tcp --dport 25 -d OURMAILSERVER \
-m string --string "sperm" -j DROP
What is the reaction in the TCP connection ?
The further packets of the same connection get dropped too ?
This would mean the email cannot be sent, and stay in the foreign
mail server queue for X days ?
Would it be the same if I use a REJECT rule ?
Also, can fragmented TCP packets get through this ?
Thanks in advance
Maxime Ducharme
Programmeur / Spécialiste en sécurité réseau
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: Question about -m string module
2005-02-04 15:23 Question about -m string module Maxime Ducharme
@ 2005-02-04 15:58 ` Samuel Jean
2005-02-04 16:27 ` Ramoni
0 siblings, 1 reply; 4+ messages in thread
From: Samuel Jean @ 2005-02-04 15:58 UTC (permalink / raw)
To: Maxime Ducharme; +Cc: netfilter
On Fri, February 4, 2005 10:23 am, Maxime Ducharme said:
>
> Hello guys
Hiya Maxime!
>
> I have a question about -m string module and
> I think you iptables geeks can answer me :)
I am no geek nor guru ;)
>
> Suppose I want to drop TCP connections with
> specific requests.
>
> Example : a mail which contains the word "sperm",
I don't think iptables is the proper tool for such.
Consider using a mail proxy able to scan message for virus
and such instead.
>
> I'd add a rule like
>
> $IPTABLES -t filter -A FORWARD -p tcp --dport 25 -d OURMAILSERVER \
> -m string --string "sperm" -j DROP
>
> What is the reaction in the TCP connection ?
That packet always gets lost in the black hole.
The sender will keep sending that packet over and over again.
However, I *think* TCP has a timeout mechanism.
>
> The further packets of the same connection get dropped too ?
No
> This would mean the email cannot be sent, and stay in the foreign
> mail server queue for X days ?
My guess is the TCP algorithm would keep trying to send that particular
packet as it didn't get any ACK for that sequence number.
> Would it be the same if I use a REJECT rule ?
No. I think a tcp-reset would do the trick.
>
> Also, can fragmented TCP packets get through this ?
Yes, but that `sperm' word is quite small. Most of the time,
this whole word will stand in a framgented packet.
>
> Thanks in advance
>
> Maxime Ducharme
> Programmeur / Spécialiste en sécurité réseau
>
Bonne journée,
Samuel
NOTE: This email reflects author _thoughts_, not the reality.
I may be totally wrong, so just don't trust me :-)
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: Question about -m string module
2005-02-04 15:58 ` Samuel Jean
@ 2005-02-04 16:27 ` Ramoni
2005-02-04 20:23 ` Maxime Ducharme
0 siblings, 1 reply; 4+ messages in thread
From: Ramoni @ 2005-02-04 16:27 UTC (permalink / raw)
To: netfilter
If you want to DROP some mail using string on iptables, you will DoS you
server.
Why ?
Ok that smtp is a plain protocol, and you may drop a smtp connection if you
find a string in it.
But you are dropping the emal, you are dropping a connection.
Pay attention that the string you are searching in the drop rule, wont be in
the first packet of the connection, so the connection to your mail server
will start. After that, you will drop the rest of the packets if you find the
string, and then, your mail server will be in a close wait state until the
timeout.
It will reach the point that all smtp processes are used and your server wont
accept any new connections.
Sorry about the english, but I'm sure that what I say will happen.
(I've done it... lol)
On Friday 04 February 2005 13:58, Samuel Jean wrote:
> On Fri, February 4, 2005 10:23 am, Maxime Ducharme said:
> > Hello guys
>
> Hiya Maxime!
>
> > I have a question about -m string module and
> > I think you iptables geeks can answer me :)
>
> I am no geek nor guru ;)
>
> > Suppose I want to drop TCP connections with
> > specific requests.
> >
> > Example : a mail which contains the word "sperm",
>
> I don't think iptables is the proper tool for such.
> Consider using a mail proxy able to scan message for virus
> and such instead.
>
> > I'd add a rule like
> >
> > $IPTABLES -t filter -A FORWARD -p tcp --dport 25 -d OURMAILSERVER \
> > -m string --string "sperm" -j DROP
> >
> > What is the reaction in the TCP connection ?
>
> That packet always gets lost in the black hole.
> The sender will keep sending that packet over and over again.
> However, I *think* TCP has a timeout mechanism.
>
> > The further packets of the same connection get dropped too ?
>
> No
>
> > This would mean the email cannot be sent, and stay in the foreign
> > mail server queue for X days ?
>
> My guess is the TCP algorithm would keep trying to send that particular
> packet as it didn't get any ACK for that sequence number.
>
> > Would it be the same if I use a REJECT rule ?
>
> No. I think a tcp-reset would do the trick.
>
> > Also, can fragmented TCP packets get through this ?
>
> Yes, but that `sperm' word is quite small. Most of the time,
> this whole word will stand in a framgented packet.
>
> > Thanks in advance
> >
> > Maxime Ducharme
> > Programmeur / Spécialiste en sécurité réseau
>
> Bonne journée,
>
> Samuel
>
> NOTE: This email reflects author _thoughts_, not the reality.
> I may be totally wrong, so just don't trust me :-)
--
André "Ramoni" (Cabelo)
Redes / Linux
Databras Informatica
Tel: (21) 2518-2363
Fax: (21) 2263-6830
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: Question about -m string module
2005-02-04 16:27 ` Ramoni
@ 2005-02-04 20:23 ` Maxime Ducharme
0 siblings, 0 replies; 4+ messages in thread
From: Maxime Ducharme @ 2005-02-04 20:23 UTC (permalink / raw)
To: Ramoni, netfilter
This is what I expected, I only needed a confirmation :)
I think this module can help filtering data in application
level from UDP packets, but not TCP.
I'll look for a proxy solution instead for SMTP or HTTP
filtering.
Thanks all for reply
Have a nice weekend
Maxime Ducharme
Programmeur / Spécialiste en sécurité réseau
----- Original Message -----
From: "Ramoni" <ramoni@databras.com.br>
To: <netfilter@lists.netfilter.org>
Sent: Friday, February 04, 2005 11:27 AM
Subject: Re: Question about -m string module
If you want to DROP some mail using string on iptables, you will DoS you
server.
Why ?
Ok that smtp is a plain protocol, and you may drop a smtp connection if you
find a string in it.
But you are dropping the emal, you are dropping a connection.
Pay attention that the string you are searching in the drop rule, wont be in
the first packet of the connection, so the connection to your mail server
will start. After that, you will drop the rest of the packets if you find
the
string, and then, your mail server will be in a close wait state until the
timeout.
It will reach the point that all smtp processes are used and your server
wont
accept any new connections.
Sorry about the english, but I'm sure that what I say will happen.
(I've done it... lol)
On Friday 04 February 2005 13:58, Samuel Jean wrote:
> On Fri, February 4, 2005 10:23 am, Maxime Ducharme said:
> > Hello guys
>
> Hiya Maxime!
>
> > I have a question about -m string module and
> > I think you iptables geeks can answer me :)
>
> I am no geek nor guru ;)
>
> > Suppose I want to drop TCP connections with
> > specific requests.
> >
> > Example : a mail which contains the word "sperm",
>
> I don't think iptables is the proper tool for such.
> Consider using a mail proxy able to scan message for virus
> and such instead.
>
> > I'd add a rule like
> >
> > $IPTABLES -t filter -A FORWARD -p tcp --dport 25 -d OURMAILSERVER \
> > -m string --string "sperm" -j DROP
> >
> > What is the reaction in the TCP connection ?
>
> That packet always gets lost in the black hole.
> The sender will keep sending that packet over and over again.
> However, I *think* TCP has a timeout mechanism.
>
> > The further packets of the same connection get dropped too ?
>
> No
>
> > This would mean the email cannot be sent, and stay in the foreign
> > mail server queue for X days ?
>
> My guess is the TCP algorithm would keep trying to send that particular
> packet as it didn't get any ACK for that sequence number.
>
> > Would it be the same if I use a REJECT rule ?
>
> No. I think a tcp-reset would do the trick.
>
> > Also, can fragmented TCP packets get through this ?
>
> Yes, but that `sperm' word is quite small. Most of the time,
> this whole word will stand in a framgented packet.
>
> > Thanks in advance
> >
> > Maxime Ducharme
> > Programmeur / Spécialiste en sécurité réseau
>
> Bonne journée,
>
> Samuel
>
> NOTE: This email reflects author _thoughts_, not the reality.
> I may be totally wrong, so just don't trust me :-)
--
André "Ramoni" (Cabelo)
Redes / Linux
Databras Informatica
Tel: (21) 2518-2363
Fax: (21) 2263-6830
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2005-02-04 20:23 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2005-02-04 15:23 Question about -m string module Maxime Ducharme
2005-02-04 15:58 ` Samuel Jean
2005-02-04 16:27 ` Ramoni
2005-02-04 20:23 ` Maxime Ducharme
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.