Subject:
[krishnakumarmec99@gmail.com: a guide written by me.(How to do
strings based network filtering with iptables on 2.6.x kernels)]
From:
Machtelt Garrels ####@####.####
Date:
5 Nov 2007 10:11:29 +0000
Message-Id: <20071105101059.GF25417@garrels.be>
Who can review this?
Please contact me.
Machtelt.
--
Machtelt Garrels ####@####.####
Review Coordinator http://www.tldp.org/authors/
My Penguin, my freedom. http://tille.xalasys.com
----- Forwarded message from Krishna Kumar ####@####.#### -----
X-Sieve: CMU Sieve 2.2
Mailing-List: contact ####@####.#### run by ezmlm
X-No-Archive: yes
List-Post: ####@####.####
List-Help: ####@####.####
List-Unsubscribe: ####@####.####
List-Subscribe: ####@####.####
Old-Delivered-To: ####@####.####
From: Krishna Kumar ####@####.####
To: ####@####.####
Subject: a guide written by me.(How to do strings based network filtering with
iptables on 2.6.x kernels)
X-TMDA-Confirm-Done: 1194245908.28434.e07dcb
X-TMDA-Confirmed: Mon, 05 Nov 2007 07:00:03 +0000
Hello TLDP,
I am Krishnakumar, Linux administrator from India. I had written a note
on how to use string based network filtering option using Iptables on new
kernels.
I am looking forward for your review process. I had got previous review
result that, the document is not in very user friendly language, and the
algorithms should not be given, but only the reference link etc. I am
looking forward for your valuable review. Thank you.
The article is attached in simple html format.
Regards,
Krishnakumar
How to do strings based network filtering with iptables on 2.6.x kernels
----------------------------------------------------------------------
The iptables firewall system in 2.6.x kernels can be utilized more
effectively to defend TCP attacks and unwanted connections. These new
kernels include support for matching strings present in IP packets,
inspecting the entire packet data, as opposed to the previous matchings
that looked at only the IP headers. The rules, based on string matching
functions, are very easy to implement. I intend in this article to
introduce the method to the user with a basic idea of networking and
iptables.
Requirements.
1. Preferred kernel version : 2.6.18 or later.
2. The iptables program installed on your machine.
3. The kernel should be compiled with string matching support. That is,
there should be the following line in the .config file, while
compiling the kernel: CONFIG_NETFILTER_XT_MATCH_STRING=m
If you use a pre-complied kernel, check for this in the config file with
appropriate version in your /boot directory. This means that the netfilter
string matching is compiled as a module. Make sure that the module is
loaded(using the lsmod command or by looking for the appropriate entries
in /proc/modules file.) .
If iptables is installed with string matching support, you can see the
"string matching" option in its man page. You might check for it with the
command options:
>iptables -m string -help
It is claimed to work on kernels from 2.6.14 onwards; but it is a bit
difficult to get it worked on kernels before 2.6.18.. Customising the
kernel and iptables will be required in those cases. The necessary
tweaking for older kernels can be the detailed in another article, if
there is demand. We reproduce the relevant section from iptables(8) man
page:
string
This modules matches a given string by using some pattern matching strategy. It requires a linux
kernel >= 2.6.14.
--algo bm|kmp
Select the pattern matching strategy. (bm = Boyer-Moore, kmp = Knuth-Pratt-Morris)
--from offset
Set the offset from which it starts looking for any matching. If not passed, default is 0.
--to offset
Set the offset to which it starts looking for any matching. If not passed, default is the
packet size.
--string pattern
Matches the given pattern. --hex-string pattern Matches the given pattern in hex notation.
In iptables 1.3.5, you need to specify the algorithm to use for string
matching using the --algo option. There are two algorithms used, Boyer
Moore and Knuth-Morris-Pratt. Boyer-Moore is efficient and fast and can be
used in most of the cases. We can limit the search by specifying the
offset values as well.
For those who are very curious, the wikipedia description of the two
algorithms are given here. Refer the corresponding wikipedia articles for
more explanation.
i)Boyer-Moore Algorithm.
The Boyer-Moore string search algorithm is a particularly efficient string
searching algorithm. It was developed by Bob Boyer and J Strother Moore in
1977. The algorithm pre-processes the target string (key) that is being
searched for, but not the string being searched (unlike some algorithms
which pre-process the string to be searched, and can then amortize the
expense of the preprocessing by searching repeatedly). The execution time
of the Boyer-Moore algorithm can actually be sub-linear: it doesn't need
to actually check every character of the string to be searched but rather
skips over some of them. Generally the algorithm gets faster as the key
being searched for becomes longer. Its efficiency derives from the fact
that, with each unsuccessful attempt to find a match between the search
string and the text it's searching in, it uses the information gained from
that attempt to rule out as many positions of the text as possible where
the string could not match.
ii)Knuth-Morris-Pratt Algorithm.
The Knuth-Morris-Pratt string searching algorithm searches for occurrences
of a "word" W within a main "text string" S by employing the observation
that when a mismatch occurs, the word itself embodies sufficient
information to determine where the next match could begin, thus bypassing
re-examination of previously matched characters.The algorithm was invented
by Knuth and Pratt and independently by J. H. Morris in 1977, but the
three published it jointly.
Useful Example Rules:
iptables -I INPUT 1 -m string --string "cmd.exe" --algo bm -j DROP
iptables -I INPUT 1 -m string --string "domain.com" --algo kmp -j DROP
The first rule blocks all packets containing the string cmd.exe, and the
second one , blocks all requests to domain.com. We can also use the other
iptables matches and options in conjunction, as per requirement.
We can make use of matching the strings option in numerous cases to drop
intruder and spam packets before entering the server.Suppose, the mail
server is receiving many spoofed mails with a common 'Subject'. The
following rule can be added to the firewall so that the mail server will
not get overloaded by these mails.
iptalbes -I INPUT -p tcp --dport 25 -m string --string "Subject" --algo bm -j DROP
The same rule might be modified to one with a less overhead, by limiting
the search using offset values, and by assuming that the SMTP subject
header will be within an offset limit of 15000 in the packet.
iptables -I INPUT -p tcp --dport 25 -m string --string "Subject" --algo bm --to 15000 -j DROP
Conclusion.
The string match option can be effectively utilised wherever the networks
need to be filtered using strings. And last, but not the least, there is
higher overhead involved with string matching compared to other ordinary
IP header matchings, as the entire packets need to be searched. Offset
limits should be specified for searching wherever possible.
_____________________________________________________
please cc: to the list when you reply to this message
----- End forwarded message -----
--
Your freedom is only limited by mine. http://www.garrels.be
Books: http://writers.fultus.com/garrels
--> -->
|