ipt_string

ipt_string

[Linux Query]

Hi !
 
I am new to linux and networking. However I have set up a router on a redhat 9 machine and am using htb.init + squid delay pools for bandwidth limiting. But I would like to do away with squid since I am just using it for the delay pools feature in order to limit downloading based on kewords such as .exe .mp3 .mpeg ..etc. The other day I came to know about the ipt_string module through google search and am wondering if thats what I am looking for. I am looking for something with which i can mark packets based on keywords and then limit the bandwidth for such packets with htb. Is the ipt_string module suitable for this ? If not, then please suggest an alternative.
 
Regards,
Jim.

		
---------------------------------
Do you Yahoo!?
New and Improved Yahoo! Mail - 100MB free storage!

RE: ipt_string

[Rob Sterenborg]

netfilter-bounces@lists.netfilter.org wrote:
> Hi !
> 
> I am new to linux and networking. However I have set up a
> router on a redhat 9 machine and am using htb.init + squid
> delay pools for bandwidth limiting. But I would like to do
> away with squid since I am just using it for the delay pools
> feature in order to limit downloading based on kewords such
> as .exe .mp3 .mpeg ..etc. The other day I came to know about
> the ipt_string module through google search and am wondering
> if thats what I am looking for. I am looking for something
> with which i can mark packets based on keywords and then
> limit the bandwidth for such packets with htb. Is the
> ipt_string module suitable for this ? If not, then please suggest an
> alternative. 

In this case ipt_string is not what you want : you can only match a
string within a packet. If a string exceeds the packetsize (which will
likely be the case), it won't work.
The best thing I can think of is what you are already doing : use Squid,
but someone else may have other options.


Gr,
Rob

Re: ipt_string

[Aleksandar Milivojevic]

Linux Query wrote:
> Hi !
>  
> I am new to linux and networking. However I have set up a router on a redhat 9 machine and am using htb.init + squid delay pools for bandwidth limiting. But I would like to do away with squid since I am just using it for the delay pools feature in order to limit downloading based on kewords such as .exe .mp3 .mpeg ..etc. The other day I came to know about the ipt_string module through google search and am wondering if thats what I am looking for. I am looking for something with which i can mark packets based on keywords and then limit the bandwidth for such packets with htb. Is the ipt_string module suitable for this ? If not, then please suggest an alternative.

Netfilter isn't really the right tool to do application level filtering. 
  It is a great tool, but it is designed to work on lower level protocols.

You can try using ipt_string, but you will run into serious limitations. 
  ipt_string operates on single packet.  If the string you are trying to 
match is (for whatever reason) broken into multiple packet, ipt_string 
will not find it.  Also, ipt_string does not know anything about 
application level protocols (such as HTTP).  If it finds ".exe" anywhere 
in the packet's payload, it will match (whereas Squid will match only if 
it is part of URL, and you can specify that it must be at the end of the 
URL).

If I were you, I'd stick with Squid to do application level filtering.

-- 
Aleksandar Milivojevic <amilivojevic@pbl.ca>    Pollard Banknote Limited
Systems Administrator                           1499 Buffalo Place
Tel: (204) 474-2323 ext 276                     Winnipeg, MB  R3T 1L7

Re: ipt_string

[Linux Query]

Thanks for the replies!
 
I already feel discouraged about ipt_string. But it would be so much the nicer to be able to mark packets based on KEYWORDS with IPTABLES not only to limit bandwidth but also to do other things such as redirecting traffic to different gateways depending on such keywords.
 
 
By the way, I just saw the l7-filter website ---> l7-filter.sourceforge.net. Can this be a better solution ...(?)
 
Regards,
Jim.


		
---------------------------------
Do you Yahoo!?
New and Improved Yahoo! Mail - Send 10MB messages!

ipt_string

[Linux Query]

Well, but I still want to try out ipt_string if only
just for the experiece. I have never done things like
patching or kernel recompilation so far. Can anybody
please point me to some step by step guide for making
ipt_string work in redhat 9 please ..


Regards,
Jim.


		
_______________________________
Do you Yahoo!?
Declare Yourself - Register online to vote today!
http://vote.yahoo.com

RE: ipt_string

[Daniel Chemko]

Linux Query wrote:
> Daniel Chemko <dchemko@smgtec.com> wrote:
> 
>> Or even better, use Snort-inline to detect infiltrations and use its
>> built-in response engine to drop the packets.
> 
> Didn't know about snort. Does it support string matching ?
> 
Snrot's generally used for Intrusion detections, but it is basically one
big string matching program a lot like l7filter that you mentioned in an
earlier post. I couldn't say which one is better suited for your needs.

Snort-inline does take some hand-holding to get started, but I believe
that more intrusions will be caught through snort than you adding rules
adhoc to l7filter. 

RE: ipt_string

[David Cary Hart]

On Mon, 2004-09-20 at 17:43, Daniel Chemko wrote:
> Linux Query wrote:
> > Didn't know about snort. Does it support string matching ?
> > 
> Snrot's generally used for Intrusion detections, but it is basically one
> big string matching program a lot like l7filter that you mentioned in an
> earlier post. I couldn't say which one is better suoted for your needs.
> 
> Snort-inline does take some hand-holding to get started, but I believe
> that more intrusions will be caught through snort than you adding rules
> adhoc to l7filter. 

You might also want to take a look at mod_security for HTTPD protection.
This is a string matcher that allows your to redirect or drop web
attacks independent of IPT. You can even convert snort rules.

BTW, one approach with Snort is to use Swatch to execute rule scripts
for IPT.

RE: ipt_string

[Linux Query]

I am learning things :) Thanks ! I will try to learn
about snort and mod_security as soon as I can.

regards,
jim.


David Cary Hart <DCH@TQMcube.com> wrote:On Mon,
2004-09-20 at 17:43, Daniel Chemko wrote:
> Linux Query wrote:
> > Didn't know about snort. Does it support string
matching ?
> > 
> Snrot's generally used for Intrusion detections, but
it is basically one
> big string matching program a lot like l7filter that
you mentioned in an
> earlier post. I couldn't say which one is better
suoted for your needs.
> 
> Snort-inline does take some hand-holding to get
started, but I believe
> that more intrusions will be caught through snort
than you adding rules
> adhoc to l7filter. 

You might also want to take a look at mod_security for
HTTPD protection.
This is a string matcher that allows your to redirect
or drop web
attacks independent of IPT. You can even convert snort
rules.

BTW, one approach with Snort is to use Swatch to
execute rule scripts
for IPT.






	
		
__________________________________
Do you Yahoo!?
New and Improved Yahoo! Mail - 100MB free storage!
http://promotions.yahoo.com/new_mail 

RE: ipt_string

[Daniel Chemko]

> You can try using ipt_string, but you will run into serious
>   limitations. ipt_string operates on single packet.  If the string
> you are trying to match is (for whatever reason) broken into multiple
> packet, ipt_string will not find it.  Also, ipt_string does not know
> anything about application level protocols (such as HTTP).  If it
> finds ".exe" anywhere in the packet's payload, it will match (whereas
> Squid will match only if it is part of URL, and you can specify that
> it must be at the end of the URL).
> 
> If I were you, I'd stick with Squid to do application level filtering.

Or even better, use Snort-inline to detect infiltrations and use its
built-in response engine to drop the packets.

RE: ipt_string...

[Daniel Chemko]

> I would recommend you look at solutions which work at the application
> layer instead of the network routing layer for this sort of thing.  
> Depending on exactly what it is you're trying to do, Snort might be a
> good place to start. 

That reminds me:

Has anyone built snort-inline to work with RH9? Building turned ugly and
I gave up in futility. If you've done it, please list some info. Note:
Latest kernel with POM

RE: ipt_string...

[Daniel Chemko]

If you expect the string data on a specific port, you can narrow down
the number of packets searched. Basically, the best way to cut down CPU
is the ability to tell what 'isn't' in the string. Eg: If your traffic
is some unknown protocol, anything RELATED doesn't need to get string
matched. If you're just doing firewall based content filtering (not
ideal) then you'd just use the string match on inbound tcp spt 80 and
block tcp spt 443.

As for the size of the string, I highly doubt that having different
string lengths would make much of a performance hit. The search still
has to traverse the entire packet regardless of how long the string is.
The developer may say differently, but I don't see an advantage of
either way.

ipt_string...

[udo]

Hello,

Does the string match function better (uses less CPU)
when matching long patterns or is it better to keep
the patterns as short as possible?
Or in other words: how can I use as many matches as
possible without hitting the CPU too much?

Kind regards,
Udo


	
		
__________________________________
Do you Yahoo!?
Win a $20,000 Career Makeover at Yahoo! HotJobs  
http://hotjobs.sweepstakes.yahoo.com/careermakeover 

Re: ipt_string...

[Antony Stone]

On Thursday 06 May 2004 6:26 pm, udo wrote:

> Hello,
>
> Does the string match function better (uses less CPU)
> when matching long patterns or is it better to keep
> the patterns as short as possible?

My advice is not to use the string match at all, or if you do, remember that 
it will not be 100% effective.

The reason is that the match works on IP packets, not on connection streams, 
and therefore if you wanted to match my name "Antony Stone", and it turned 
out that my first name was at the end of one packet, and my second name was 
at the start of the next packet, the match would fail - netfilter would not 
trigger in this situation.

I would recommend you look at solutions which work at the application layer 
instead of the network routing layer for this sort of thing.   Depending on 
exactly what it is you're trying to do, Snort might be a good place to start.

Regards,

Antony.

-- 
90% of networking problems are routing problems.
9 of the remaining 10% are routing problems in the other direction.
The remaining 1% might be something else, but check the routing anyway.

                                                     Please reply to the list;
                                                           please don't CC me.

ipt_string...

[udo]

Hello


	
		
__________________________________
Do you Yahoo!?
Win a $20,000 Career Makeover at Yahoo! HotJobs  
http://hotjobs.sweepstakes.yahoo.com/careermakeover 

ipt_string

[Rafael Silva =?unknown-8bit?q?Guimar=E3es?=]

As I obtain to add lib libipt_string in compilacao of iptables-1.2.8... 

Rafael Silva Guimarães
http://www.infomania.com.br
Tecnico support