| Author |
Message |
Crisis
Joined: 14 Jan 2004
Posts: 40
|
| Posted: Wed Aug 25, 2004 3:58 pm Post subject: string filtering in iptables, needs new kernel? |
|
|
Well I'm trying to filter based on certain strings in packets and I can't get it to work, which led me to sites suggesting I need to recompile my kernel with a few options (netfilter etc)
My main question then is more along the lines of how you do this on a linode.
I have compiled countless kernels from scratch, but I do not know what be needed on the linode, I have not messed with my kernel and I think you guys use some special kernels, I wouldn't want to disable anythign important.
The distro is Gentoo, so how would I go about building a kernel for this box with netfilter?
Or maybe someone knows how I can do this without recompiling the kerrnel? Thanks!
Thanks! |
|
| Back to top |
|
adamgent
Joined: 23 Jun 2003
Posts: 261
|
| Posted: Wed Aug 25, 2004 4:19 pm Post subject: |
|
|
On linode you can not run your own kernel.
Adam |
|
| Back to top |
|
caker
Joined: 15 Apr 2003
Posts: 2404
Location: Galloway, NJ
|
| Posted: Wed Aug 25, 2004 4:21 pm Post subject: |
|
|
Most, if not ALL of the netfilter options are enabled inside the kernel config, except for those labelled experimental.
http://www.linode.com/forums/viewtopic.php?t=1006
Can you tell me which .config options you need specifically?
-Chris |
|
| Back to top |
|
Crisis
Joined: 14 Jan 2004
Posts: 40
|
| Posted: Thu Aug 26, 2004 7:34 am Post subject: |
|
|
Hmm I did a bit of research and it looks like nefilter has patches for the kernel source that you need to patch in for some of these options.
Specifically it is:
CONFIG_IP_NF_MATCH_STRING which allows you to
match a string in a whole packet.
Referenced at:
http://www.knowplace.org/netfilter/ipt_compile.html#ip2
Not sure if this is doable with the linode kernels but I would really like to find a way to drop packets based on strings in their payload. |
|
| Back to top |
|
SteveG
Joined: 30 Nov 2003
Posts: 232
|
| Posted: Thu Aug 26, 2004 5:12 pm Post subject: |
|
|
Crisis wrote: ...I would really like to find a way to drop packets based on strings in their payload.
No, you wouldn't. It's unreliable, because it only looks at a packet at a time, and there's no guarantee that the dangerous string "foobar" won't be split across two packets. It can happen accidentally, and the cracker can force it.
What you want is a proxy firewall, where you can look at the actual data stream, and parse it properly. |
|
| Back to top |
|
Crisis
Joined: 14 Jan 2004
Posts: 40
|
| Posted: Fri Aug 27, 2004 7:27 am Post subject: |
|
|
| Well for now I achieved what I was trying to do on the application layer, but what would you recommend for a proxy firewall? |
|
| Back to top |
|
SteveG
Joined: 30 Nov 2003
Posts: 232
|
| Posted: Sun Aug 29, 2004 9:19 am Post subject: |
|
|
| Hmmm, I'm not sure there are any free proxy firewalls that can do reject based on the contents of the data stream. Probably you can write add-ins for SOCKS to do it. But if you've solved your problem at the application layer, then you're done: proxy firewalls *are* at the application layer. |
|
| Back to top |
|
Crisis
Joined: 14 Jan 2004
Posts: 40
|
| Posted: Mon Aug 30, 2004 9:03 am Post subject: |
|
|
OK thanks for the response ;)
I figured the application layer would be the easiest to do it on but I thought it might be interesting to learn how to do it a bit lower with a firewall. |
|
| Back to top |
|
| |
