* iptables v1.3.4: STRING match: You must specify `--algo'
@ 2005-11-07 12:38 Jasbir Khehra
2005-11-08 1:01 ` Pablo Neira
0 siblings, 1 reply; 3+ messages in thread
From: Jasbir Khehra @ 2005-11-07 12:38 UTC (permalink / raw)
To: pablo, netfilter
Hi,
while running this command
# iptables -t nat -I PREROUTING -p tcp -s 192.168.2.20 -m string
--hex-string '0d0a0d0a594d5347' -j REJECT
Not able to get the different options for '--algo' parameter .
Kernel 2.6.14 iptables v1.3.4 thanks - Jasbir
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: iptables v1.3.4: STRING match: You must specify `--algo'
2005-11-07 12:38 iptables v1.3.4: STRING match: You must specify `--algo' Jasbir Khehra
@ 2005-11-08 1:01 ` Pablo Neira
[not found] ` <e053ca9d0511110554v2b8f187bh63526a9cf887dfbc@mail.gmail.com>
0 siblings, 1 reply; 3+ messages in thread
From: Pablo Neira @ 2005-11-08 1:01 UTC (permalink / raw)
To: jasbir.k; +Cc: netfilter
Jasbir Khehra wrote:
> Hi,
> while running this command
> # iptables -t nat -I PREROUTING -p tcp -s 192.168.2.20 -m string
> --hex-string '0d0a0d0a594d5347' -j REJECT
>
> Not able to get the different options for '--algo' parameter .
> Kernel 2.6.14 iptables v1.3.4 thanks - Jasbir
--algo [bm|kmp]
bm: Boyer-Moore
kmp: Knuth-Pratt-Morris
Those are the algorithm implemented at the moment.
BTW, you should do that in the raw table, not nat. Nobody should use the
nat table for filtering purposes.
--
Pablo
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: iptables v1.3.4: STRING match: You must specify `--algo'
[not found] ` <e053ca9d0511110554v2b8f187bh63526a9cf887dfbc@mail.gmail.com>
@ 2005-11-12 12:03 ` Pablo Neira
0 siblings, 0 replies; 3+ messages in thread
From: Pablo Neira @ 2005-11-12 12:03 UTC (permalink / raw)
To: Jasbir Khehra; +Cc: netfilter
Jasbir Khehra wrote:
>
>
> On 11/8/05, *Pablo Neira* <pablo@eurodev.net <mailto:pablo@eurodev.net>>
> wrote:
>
> Jasbir Khehra wrote:
> > Hi,
> > while running this command
> > # iptables -t nat -I PREROUTING -p tcp -s 192.168.2.20
> <http://192.168.2.20> -m string
> > --hex-string '0d0a0d0a594d5347' -j REJECT
> >
> > Not able to get the different options for '--algo' parameter .
> > Kernel 2.6.14 iptables v1.3.4 thanks - Jasbir
>
> --algo [bm|kmp]
>
> bm: Boyer-Moore
> kmp: Knuth-Pratt-Morris
>
> Those are the algorithm implemented at the moment.
>
> BTW, you should do that in the raw table, not nat. Nobody should use the
> nat table for filtering purposes.
>
> --
> Pablo
>
>
>
>
> Thankz Pablo for the reply and the "string" module :) . I redifined my
> rule now and after some googling found the right syntax for using the
> "--hex-string"
> # iptables -t raw -A PREROUTING -s $source_ip -m string --algo bm
> --hex-string "|0d 0a 59 4d 53 47|" -j DROP
> Whats the initial position/counter for the "--from" parameter 0 or 1
> and does it start from the IP header ?
Yes, the IP header. Use --from 0 for the initial position.
--
Pablo
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2005-11-12 12:03 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2005-11-07 12:38 iptables v1.3.4: STRING match: You must specify `--algo' Jasbir Khehra
2005-11-08 1:01 ` Pablo Neira
[not found] ` <e053ca9d0511110554v2b8f187bh63526a9cf887dfbc@mail.gmail.com>
2005-11-12 12:03 ` Pablo Neira
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox