string

string

[chima s]

Hi,

I want to deny brwsing the yahoo and if somebody try to access the any
yahoo url, it will redirect to another page from my local web server.

I added the below rule

iptables -t nat -I PREROUTING -p tcp -m string --string "yahoo" --algo
bm -j DNAT --to-destination xxx.xxx.xxx.xxx

and tried www.yahoo.com, i am able to open the yahoo page instaed of
redirected page.

Is the rule is proper or am i missing any thing.


Thanks and Regards
Chima

Re: string

[Eric Leblond]

Hi,

On Friday, 2008 October 17 at 20:00:04 +0530, chima s wrote:
> Hi,
> 
> I want to deny brwsing the yahoo and if somebody try to access the any
> yahoo url, it will redirect to another page from my local web server.
> 
> I added the below rule
> 
> iptables -t nat -I PREROUTING -p tcp -m string --string "yahoo" --algo
> bm -j DNAT --to-destination xxx.xxx.xxx.xxx

NAT table is only reached for the SYN packet. Thus you can match of the
GET which come later.

You should use a proxy to do so.

BR,
-- 
Eric Leblond
INL: http://www.inl.fr/
NuFW: http://www.nufw.org/

Re: string

[Grant Taylor]

On 10/17/08 10:08, Eric Leblond wrote:
> NAT table is only reached for the SYN packet. Thus you can match of 
> the GET which come later.

*nod*

> You should use a proxy to do so.

Agreed.

-or-

You could also set up your own DNS server and use it to poison DNS for 
Yahoo.  Resolve any Yahoo domains to your own server that is set up to 
reply to any and all web pages.  Then configure that web server / page 
to issue a 302 redirect to the web page that you want people to see.



Grant. . . .

String

[David Cary Hart]

The string module seems like a great idea to filter some of the httpd
attacks. Is there any way to make it work in kernel 2.6.7? In the
alternative is there something else that might do similar filtering?

Thanks.
-- 
                            David Cary Hart
Hart's PGP key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x58A60BB1

Re: String

[Antony Stone]

On Wednesday 30 June 2004 8:45 pm, David Cary Hart wrote:

> The string module seems like a great idea to filter some of the httpd
> attacks.

It may seem like a great idea, but it has limitations which (IMHO) mean it's 
just not worth using (for this sort of task).

The two major limitations are:

1. It will only match on a string which is completely contained within one 
packet - therefore a string "GET /index.html" which has the "GET " at the end 
of one packet, and the "/index.html" at the start of the next will not be 
matched.

2. The string match works on literal text characters, and therefore will not 
match anything at all for a gzip-compressed HTTP stream (quite commonly 
encountered with modern servers).

> In the alternative is there something else that might do similar filtering?

Yes, Squid, Dan's Guardian - something which truly understands HTTP, rather 
than just TCP/IP.

Regards,

Antony.

-- 
The difference between theory and practice is that in theory there is no 
difference, whereas in practice there is.

                                                     Please reply to the list;
                                                           please don't CC me.