* Match strings with periods
@ 2011-05-03 23:46 James Lay
2011-05-04 2:15 ` /dev/rob0
0 siblings, 1 reply; 3+ messages in thread
From: James Lay @ 2011-05-03 23:46 UTC (permalink / raw)
To: Netfilter
Hey all!
Soähere's what I have:
LOG udp -- * * 10.0.0.1 0.0.0.0/0
STRING match "myspace" ALGO name bm TO 65535 LOG flags 0 level 4 prefix
`Myspace '
DROP udp -- * * 10.0.0.1 0.0.0.0/0
STRING match "myspace" ALGO name bm TO 65535
LOG udp -- * * 10.0.0.1 0.0.0.0/0
STRING match ".cc" ALGO name bm TO 65535 LOG flags 0 level 4 prefix `cc '
DROP udp -- * * 10.0.0.1 0.0.0.0/0
STRING match ".cc" ALGO name bm TO 65535
Been trying to nuke DNS resolution for a couple domains. The myspace
match works like a champäcan't resolve when I dig myspace.com. The cc one
doesn't seem to work, and I suspect it's because of the . in the string.
I can't just match "cc", or else any domain name with a cc in it would
fail, so I'm attempting to match ".cc". I tried different methods
(--hex-string "|2e|cc") but nothing seems to match. Does anyone have any
hints on how to get this to work? Thanks all!
James
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: Match strings with periods
2011-05-03 23:46 Match strings with periods James Lay
@ 2011-05-04 2:15 ` /dev/rob0
2011-05-04 12:25 ` James Lay
0 siblings, 1 reply; 3+ messages in thread
From: /dev/rob0 @ 2011-05-04 2:15 UTC (permalink / raw)
To: Netfilter
On Tue, May 03, 2011 at 05:46:19PM -0600, James Lay wrote:
> Been trying to nuke DNS resolution for a couple domains.
snip
> Does anyone have any
> hints on how to get this to work? Thanks all!
Use an appropriate tool for the job, e.g., dnsmasq(8), available in
most major GNU/Linux distributions. This would be trivial.
--
Offlist mail to this address is discarded unless
"/dev/rob0" or "not-spam" is in Subject: header
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: Match strings with periods
2011-05-04 2:15 ` /dev/rob0
@ 2011-05-04 12:25 ` James Lay
0 siblings, 0 replies; 3+ messages in thread
From: James Lay @ 2011-05-04 12:25 UTC (permalink / raw)
To: Netfilter
On 5/3/11 8:15 PM, "/dev/rob0" <rob0@gmx.co.uk> wrote:
>On Tue, May 03, 2011 at 05:46:19PM -0600, James Lay wrote:
>> Been trying to nuke DNS resolution for a couple domains.
>snip
>> Does anyone have any
>> hints on how to get this to work? Thanks all!
>
>Use an appropriate tool for the job, e.g., dnsmasq(8), available in
>most major GNU/Linux distributions. This would be trivial.
>--
> Offlist mail to this address is discarded unless
> "/dev/rob0" or "not-spam" is in Subject: header
Thanks Rob, I think that's exactly what I'll do. My question still kinda
stand though...is it only possible to match ASCII strings? Maybe since
it's udp? Funny thing is, in my tests I could log pings by matching this:
sudo iptables -I INPUT -p icmp -m string --string "./012" --algo bm -j LOG
--log-prefix "ping test "
Packet below:
06:12:39.283417 IP 192.168.1.2 > 192.168.1.1: ICMP echo request, id 8969,
seq 169, length 64
0x0000: 4500 0054 0794 0000 4001 efc1 c0a8 0102 E..T....@.......
0x0010: c0a8 0101 0800 1099 2309 00a9 4dc1 42b7 ........#...M.B.
0x0020: 0004 4835 0809 0a0b 0c0d 0e0f 1011 1213 ..H5............
0x0030: 1415 1617 1819 1a1b 1c1d 1e1f 2021 2223 .............!"#
0x0040: 2425 2627 2829 2a2b 2c2d 2e2f 3031 3233 $%&'()*+,-./0123
0x0050: 3435 3637 4567
Odd.
James
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2011-05-04 12:25 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2011-05-03 23:46 Match strings with periods James Lay
2011-05-04 2:15 ` /dev/rob0
2011-05-04 12:25 ` James Lay
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).