From: Julien Gateaud <jgateaud@securitykeepers.com>
To: lartc@vger.kernel.org
Subject: Re: [LARTC] Layer 7 application blocking via tc/iptables?
Date: Fri, 29 Aug 2003 09:09:00 +0000 [thread overview]
Message-ID: <marc-lartc-106214825429368@msgid-missing> (raw)
In-Reply-To: <marc-lartc-106201614032501@msgid-missing>
On Fri, 29 Aug 2003 13:56:58 +0530, S Mohan <smohan@vsnl.com> wrote:
yes but its not simple because u32 can match at most 32 bits at a fixed
offset. So if you want to check a string in layer 7 datas you must know at
which position
it may appear, convert the string you what to check in hexa numbers and
create a filter like this :
string : "isthisstringpresent?"
hexadecimal representation : 69 73 74 68 69 73 73 74 72 69 6e 67 70
72 65 73 65 6e 74 3f 0a
filter :
tc filter add dev eth0 parent 1:0 prio 1 u32 \
match u32 0x69737468 0xffffffff at nexthdr+position \
match u32 0x69737374 0xffffffff at nexthdr+position+4 \
match u32 0x72696e67 0xffffffff at nexthdr+position+8 \
match u32 0x70726573 0xffffffff at nexthdr+position+12 \
match u32 0x656e743f 0xffffffff at nexthdr+position+16 \
match u8 0x0a 0xff at nexthdr+position+20 \
protocol tcp \
flowid ...
using the string iptables module is much easier and dont require to know
strings position.
> From the docs I've read, the U32 classifier itself can do this. May be
> worthwhile investigating.
>
> Mohan
>
> -----Original Message-----
> From: lartc-admin@mailman.ds9a.nl [mailto:lartc-admin@mailman.ds9a.nl]On
> Behalf Of Julien Gateaud
> Sent: Friday, August 29, 2003 1:07 PM
> To: Stef Coene; Derek; lartc@mailman.ds9a.nl
> Subject: Re: [LARTC] Layer 7 application blocking via tc/iptables?
>
>
> On Thu, 28 Aug 2003 19:54:41 +0200, Stef Coene <stef.coene@docum.org>
> wrote:
>
>> On Wednesday 27 August 2003 22:25, Derek wrote:
>>> Hi All,
>>>
>>>
>>> I hope this is the correct place to ask about this, but can someone
>>> give
>>> me an example of blocking a certain application via the layer 7 patch
>>> and iproute/iptables?
>>>
>>> For more of a specific example, I'm trying to block certain instant
>>> messaging clients on my network, and I have yet to find a way to do it
>>> (using mark or otherwise).
>>>
>>> Any help would be greatly appreciated!
>> Iptables can look at the packet contents. If you know how the clients
>> are negotiating with the servers, you can block these packets. Or try
>> to find out the ports and ip addresses and block these.
>>
>> Stef
>>
> In patch-o-matic there is a module called string which match if a string
> is present into payload.
> Maybe you could use that but i can't say if it's stable or not.
>
--
Julien Gateaud
Security Keepers S.A.
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
next prev parent reply other threads:[~2003-08-29 9:09 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
2003-08-27 20:25 [LARTC] Layer 7 application blocking via tc/iptables? Derek
2003-08-28 17:54 ` Stef Coene
2003-08-29 7:37 ` Julien Gateaud
2003-08-29 8:38 ` S Mohan
2003-08-29 8:47 ` Stef Coene
2003-08-29 9:09 ` Julien Gateaud [this message]
2003-08-29 15:34 ` Derek
2003-08-29 19:49 ` Steve Wright
2003-08-29 20:07 ` Derek
2003-08-29 20:28 ` Steve Wright
2003-08-29 20:43 ` Jasper Spaans
2003-08-29 20:58 ` Nicolas Orlando Nappe
2003-08-29 23:24 ` Martin A. Brown
2003-08-29 23:55 ` Steve Wright
2003-08-30 0:19 ` Martin A. Brown
2003-08-30 21:05 ` Oskar Andreasson
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=marc-lartc-106214825429368@msgid-missing \
--to=jgateaud@securitykeepers.com \
--cc=lartc@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.