iptables drop packet by hex string match

Question

I got this packet captured with tcpdump but I'm not sure how to use the --hex-string param to match the packet. Can someone show me how to do it?

11:18:26.614537 IP (tos 0x0, ttl 17, id 19245, offset 0, flags [DF], proto UDP (17), length 37)
    x.x.187.207.1234 > x.x.152.202.6543: [no cksum] UDP, length 9
        0x0000:  f46d 0425 b202 000a b853 22cc 0800 4500  .m.%.....S"...E.
        0x0010:  0025 4b2d 4000 1111 0442 5ebe bbcf 6701  .%K-@....B^...g.
        0x0020:  98ca 697d 6989 0011 0000 ffff ffff 5630  ..i}i.........V0
        0x0030:  3230 3300 0000 0000 0000 0000            203.........

score 10 · Accepted Answer · edited Jul 03 '12 at 02:35

10

The hex string needs to be surrounded by | symbols. The spaces are optional

iptables --append INPUT --match string --algo kmp --hex-string '|f4 6d 04 25 b2 02 00 0a|' --jump ACCEPT

Note that string matching should be a last resort. It's intensive, and unreliable because it works on packets not connections. It also only starts working on the third packet in a TCP connection which limits what actions you can use (you can't NAT the connection for example).

edited Jul 03 '12 at 02:35

quanta

50,327
19
152
213

answered Jul 02 '12 at 20:38

mgorven

30,036
7
76
121

Thanks! Another thing, if I want to limit the packet matching to only UDP packet of length in the tcpdump capture with --length param, which length should I use? 17 or 9? – Flint Jul 04 '12 at 07:39
1

@Flint It probably searches the entire IP packet, so 37. The UDP payload is 9, the IP payload is 17, and the entire IP packet is 37. – mgorven Jul 04 '12 at 18:48

iptables drop packet by hex string match

1 Answers1

Linked

Related