Match multiple strings in iptables

3

1

I have 2 strings, and i wish to queue the packet if it contains both the strings ( something like ("jsh"&&"gjhyg")), i tried following ways, but they don't seem to work:

sudo iptables -A INPUT -p tcp -j QUEUE ! -f -m string --string "abc" --algo bm -m string --string "def" --algo bm

This doesn't work, it only works if the packet contains the string "abcdef", but the packet i wish to queue contains the strings at two different locations. Then I tried another method:

sudo iptables -A INPUT -p tcp -j QUEUE ! -f -m string --string "abc" --algo bm

sudo iptables -A INPUT -p tcp -j QUEUE ! -f -m string --string "def" --algo bm

But this time it works like "or", it queues packets with string "abc" or "def".

adnan kamili

Posted 2012-10-02T06:29:24.983

Reputation: 441

I would have expected the first solution to work, since multiple -m are normally combined with an AND... and I can't find any reference of using regexp in the pattern. I'd say you just can't do it :/ – m4573r – 2012-10-02T08:04:42.150

I can do this, but only at application level. By analyzing the queued packets matching any one string, and then matching for second string in my netfilter_queue C module. This method is definitely slower. – adnan kamili – 2012-10-02T10:06:25.257

Answers

0

the "and" in this case could be achived with an user defined chain

sudo iptables -N my_chain

sudo iptables -A my_chain -p tcp -j QUEUE ! -f -m string --string "def" --algo bm

sudo iptables -A INPUT -p tcp -j my_chain ! -f -m string --string "abc" --algo bm

when the input chain process the last line and "abc" is present the control jumps to my_chain which has a similar rule checking for the presence of "def"; if "def" is there then jumps to QUEUE.

Pat

Posted 2012-10-02T06:29:24.983

Reputation: 2 593

Asked: 2012-10-02T06:29:24.983

Viewed: 3 452 times

Active: 2020-01-28T06:01:25.260