From mboxrd@z Thu Jan 1 00:00:00 1970 From: Julien Gateaud Date: Fri, 29 Aug 2003 09:09:00 +0000 Subject: Re: [LARTC] Layer 7 application blocking via tc/iptables? Message-Id: List-Id: References: In-Reply-To: MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit To: lartc@vger.kernel.org On Fri, 29 Aug 2003 13:56:58 +0530, S Mohan wrote: yes but its not simple because u32 can match at most 32 bits at a fixed offset. So if you want to check a string in layer 7 datas you must know at which position it may appear, convert the string you what to check in hexa numbers and create a filter like this : string : "isthisstringpresent?" hexadecimal representation : 69 73 74 68 69 73 73 74 72 69 6e 67 70 72 65 73 65 6e 74 3f 0a filter : tc filter add dev eth0 parent 1:0 prio 1 u32 \ match u32 0x69737468 0xffffffff at nexthdr+position \ match u32 0x69737374 0xffffffff at nexthdr+position+4 \ match u32 0x72696e67 0xffffffff at nexthdr+position+8 \ match u32 0x70726573 0xffffffff at nexthdr+position+12 \ match u32 0x656e743f 0xffffffff at nexthdr+position+16 \ match u8 0x0a 0xff at nexthdr+position+20 \ protocol tcp \ flowid ... using the string iptables module is much easier and dont require to know strings position. > From the docs I've read, the U32 classifier itself can do this. May be > worthwhile investigating. > > Mohan > > -----Original Message----- > From: lartc-admin@mailman.ds9a.nl [mailto:lartc-admin@mailman.ds9a.nl]On > Behalf Of Julien Gateaud > Sent: Friday, August 29, 2003 1:07 PM > To: Stef Coene; Derek; lartc@mailman.ds9a.nl > Subject: Re: [LARTC] Layer 7 application blocking via tc/iptables? > > > On Thu, 28 Aug 2003 19:54:41 +0200, Stef Coene > wrote: > >> On Wednesday 27 August 2003 22:25, Derek wrote: >>> Hi All, >>> >>> >>> I hope this is the correct place to ask about this, but can someone >>> give >>> me an example of blocking a certain application via the layer 7 patch >>> and iproute/iptables? >>> >>> For more of a specific example, I'm trying to block certain instant >>> messaging clients on my network, and I have yet to find a way to do it >>> (using mark or otherwise). >>> >>> Any help would be greatly appreciated! >> Iptables can look at the packet contents. If you know how the clients >> are negotiating with the servers, you can block these packets. Or try >> to find out the ports and ip addresses and block these. >> >> Stef >> > In patch-o-matic there is a module called string which match if a string > is present into payload. > Maybe you could use that but i can't say if it's stable or not. > -- Julien Gateaud Security Keepers S.A. _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/